Zero Day MonitorZDM

← Back to list

5.3

CVE-2026-3504EXPLOITED

dokan · dokan: ai powered woocommerce multivendor marketplace solution

Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 4.3.1 - Unauthenticated Information Disclosure in Store Reviews REST API Endpoint

Description

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.1 via the '/dokan/v1/stores/{id}/reviews' REST API endpoint. This is due to the 'prepare_reviews_for_response' method including reviewer email addresses, usernames, and user IDs in the API response. This makes it possible for unauthenticated attackers to extract email addresses, usernames, and user IDs of all customers who left reviews on any vendor's store. The Pro version of the plugin must be installed and activated, with store reviews enabled, in order to exploit the vulnerability.

Affected Products

Vendor	Product	Versions
dokan	dokan: ai powered woocommerce multivendor marketplace solution	0

References

Related News (1 articles)

Tier C

VulDB56d ago

CVE-2026-3504 | dokaninc Dokan: AI Powered WooCommerce Multivendor Marketplace Solution Plugin REST API Endpoint reviews prepare_reviews_for_response information disclosure

→ No new info (linked only)

CVSS 3.15.3 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-200

PublishedMay 2, 2026

Last enriched56d agov2

Trending Score0

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-56033EXP

WordPress Dokan Pro plugin <= 5.0.4 - Privilege Escalation vulnerability

HIGHCVE-2026-11987EXP

Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Information Disclosure via 'id' Parameter

HIGHCVE-2026-11783EXP

Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.4 - Authenticated (Custom+) Stored Cross-Site Scripting via Product SKU

HIGHCVE-2026-49780

WordPress Dokan plugin <= 5.0.2 - Privilege Escalation vulnerability

MEDIUMCVE-2026-10023

Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.3 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Order Modification via Multiple AJAX Handlers

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 2, 2026

Discovered by ZDM

May 2, 2026

Updated: description, affectedVersions, severity, activelyExploited

May 2, 2026

Actively Exploited

May 4, 2026

Version History

v2

Last enriched 56d ago

v2Tier C56d ago

Updated vendor to 'dokaninc', changed severity to HIGH, and marked the vulnerability as actively exploited.

descriptionaffectedVersionsseverityactivelyExploited

via VulDB

v156d ago

Initial creation