Critical Vulnerabilities in Dokan Pro and WooCommerce

Dokan Pro Plugin Vulnerability

Recently, WooCommerce and Wordfence issued advisories regarding vulnerabilities in the Dokan Pro plugin. Wordfence warned about a critical SQL Injection vulnerability that could allow unauthenticated attackers to access sensitive information from a website database.

Dokan Pro WordPress Plugin

The Dokan Pro plugin enables users to create a multi-vendor marketplace within their WooCommerce websites, similar to platforms like Amazon and Etsy. With over 50,000 installations, versions up to 3.10.3 are vulnerable to the exploit. To secure your site, it’s crucial to update to version 3.11.0, which includes the necessary patches.

Despite the severity of the issue, only 30.6% of installations are running the latest version, leaving 69.4% at risk. The lack of transparency in the changelog for version 3.10.4, released on April 25, 2024, raises concerns about the patch’s effectiveness.

CVSS Score 10

The Common Vulnerability Scoring System rated the Dokan Pro vulnerability a 10, indicating the highest level of severity. This score underscores the urgent need for all users to update their plugins immediately.

Description Of Vulnerability

The SQL Injection flaw in Dokan Pro allows attackers to manipulate the database without authentication, posing a significant security threat. Wordfence’s analysis revealed the technical details:

“The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the ‘code’ parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.”

Considering the severity of this vulnerability, users are strongly advised to update their Dokan Pro plugins promptly.

WooCommerce Cross Site Scripting (XSS) Vulnerability

On a related note, WooCommerce disclosed a Cross-Site Scripting (XSS) vulnerability in versions 8.8.0 and higher. This medium-level threat affects users with the Order Attribute feature activated and can lead to malicious code execution through manipulated links.

While no exploits have been reported, WooCommerce recommends immediate updates to version 8.9.3 to mitigate any potential risks. The proactive identification of the issue by Automattic’s security research team highlights the importance of ongoing vigilance.

Should Web Hosts Be More Proactive?

Adam J. Humphreys, a web developer and search marketing expert, advocates for greater host responsibility in patching critical vulnerabilities. He suggests that WordPress’s lack of auto-updates poses a significant security risk to the millions of websites built on the platform.

“WordPress without ongoing management is a vulnerability, and yet half of all websites are made with it. This is an oversight by WordPress that should be addressed, in my opinion.”

As the digital landscape evolves, the onus is on both developers and hosts to prioritize security and ensure the integrity of online platforms.

For more information, visit Wordfence’s analysis of the Dokan Pro vulnerability here. Additionally, read the official WooCommerce documentation on the XSS vulnerability here.

Image/Photo credit: source url