CVE-2026-10023 Overview
CVE-2026-10023 is an Insecure Direct Object Reference (IDOR) vulnerability [CWE-639] in the Dokan WooCommerce Multivendor Marketplace plugin for WordPress. The flaw affects all versions up to and including 5.0.3. Multiple AJAX handlers fail to validate order ownership before processing requests against a user-controlled order ID. Authenticated vendors can manipulate any order in the marketplace, including changing order status, injecting notes, deleting comments, forging shipping tracking, and modifying downloadable-product access.
Critical Impact
Authenticated vendor-level attackers can tamper with arbitrary orders across a multivendor marketplace, sending forged customer-facing notification emails and disrupting fulfillment for competing vendors.
Affected Products
- Dokan Lite plugin for WordPress, versions up to and including 5.0.3
- Dokan multivendor marketplace deployments running on WooCommerce
- WordPress sites with custom vendor-level roles configured
Discovery Timeline
- 2026-06-18 - CVE-2026-10023 published to NVD
- 2026-06-18 - Last updated in NVD database
Technical Details for CVE-2026-10023
Vulnerability Analysis
The vulnerability resides in six AJAX handlers exposed by the Dokan plugin: change_order_status, add_order_note, delete_order_note, add_shipping_tracking_info, grant_access_to_download, and revoke_access_to_download. Each handler accepts an order_id parameter from the request and operates on the referenced order without confirming the authenticated vendor owns it. An attacker with vendor-level access can substitute another vendor's order ID and invoke administrative actions on that order.
The exploitable code paths are present in includes/Ajax.php at lines 225, 293, 378, 400, 439, and 511 in the 5.0.1 tag and remain unpatched through 5.0.3.
Root Cause
The handlers enforce authentication and nonce checks but omit ownership validation. The plugin treats nonce verification as sufficient proof of authorization. Nonces in WordPress only confirm the request originates from an authenticated session, not that the session has rights to the referenced resource. The missing capability and ownership comparison between the current vendor and the order's seller is the underlying defect.
Attack Vector
A vendor-level attacker loads their own dashboard order page at /dashboard/orders/?order_id=OWN_ORDER_ID to harvest a freshly generated nonce. The attacker then issues an AJAX POST to the vulnerable handler, supplying the harvested nonce together with a victim vendor's order_id. The server validates the nonce, accepts the request, and mutates the targeted order. This rebuts any defense argument that nonce scarcity prevents exploitation, because vendors legitimately generate valid nonces on demand.
Detection Methods for CVE-2026-10023
Indicators of Compromise
- AJAX POST requests to admin-ajax.php with action=dokan_change_order_status, dokan_add_order_note, dokan_delete_order_note, dokan_add_shipping_tracking_info, dokan_grant_access_to_download, or dokan_revoke_access_to_download where the requesting user is not the seller of the referenced order_id.
- Unexpected WooCommerce status transitions on orders that the assigned vendor did not initiate.
- Customer-facing order notes or shipping tracking entries created by a user account other than the order's vendor of record.
Detection Strategies
- Correlate WordPress audit logs with WooCommerce order metadata to flag mismatches between the acting user ID and the order's _dokan_vendor_id post meta.
- Monitor wp_comments deletions where the deleting user did not author the comment and is not an administrator.
- Alert on bursts of add_order_note or add_shipping_tracking_info calls from a single vendor account against orders spanning multiple sellers.
Monitoring Recommendations
- Enable verbose logging on admin-ajax.php and forward logs to a centralized analytics platform for retention and search.
- Track outbound WooCommerce notification email volume per vendor account to surface anomalous spikes triggered by injected customer-facing notes.
- Review vendor role assignments and audit any custom roles granted dokandar capabilities.
How to Mitigate CVE-2026-10023
Immediate Actions Required
- Upgrade the Dokan plugin to a version newer than 5.0.3 once the vendor publishes a fix that adds ownership validation to the affected AJAX handlers.
- Audit recent order status changes, order notes, shipping tracking entries, and downloadable-product permission grants for the past 90 days.
- Restrict creation of new vendor accounts and require manual approval until the plugin is patched.
Patch Information
A fix is tracked in the upstream repository via the Dokan GitHub Pull Request #3246. Source-code analysis confirms the vulnerable code path remains unpatched through version 5.0.1. Administrators should monitor the Wordfence Vulnerability Report and the WordPress Changeset Overview for the official patched release.
Workarounds
- Deploy a Web Application Firewall (WAF) rule that inspects requests to admin-ajax.php for the affected action values and blocks requests where the order_id does not belong to the requesting vendor.
- Apply a custom must-use plugin that hooks the affected AJAX actions early and verifies the current user matches the order's _dokan_vendor_id before allowing execution.
- Temporarily disable vendor self-service for order status changes, notes, shipping tracking, and downloadable-product access while a patch is pending.
# Configuration example
# Disable the vulnerable AJAX actions via a must-use plugin until patched
# Save as wp-content/mu-plugins/dokan-cve-2026-10023-mitigation.php
add_action('init', function () {
$actions = [
'dokan_change_order_status',
'dokan_add_order_note',
'dokan_delete_order_note',
'dokan_add_shipping_tracking_info',
'dokan_grant_access_to_download',
'dokan_revoke_access_to_download',
];
foreach ($actions as $action) {
remove_all_actions('wp_ajax_' . $action);
}
});
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
