CVE-2026-12224 Overview
CVE-2026-12224 is a privilege escalation vulnerability in the Dokan Pro plugin for WordPress affecting all versions up to and including 5.0.4. The flaw resides in the update_capabilities() REST endpoint, which accepts arbitrary capability strings from the request body and forwards them to WP_User::add_cap() without allowlist validation. The handler only checks that the caller holds the dokandar capability. Authenticated attackers with self-provisioned Vendor-level access on sites running the Vendor Staff module can assign any WordPress capability, including administrator, to a vendor_staff account. Successful exploitation results in full site takeover. The vulnerability is tracked under [CWE-269: Improper Privilege Management].
Critical Impact
Authenticated vendors on affected Dokan Pro sites can escalate vendor_staff accounts to full administrator, resulting in complete WordPress site compromise.
Affected Products
- Dokan Pro plugin for WordPress, all versions up to and including 5.0.4
- WordPress sites with the Dokan Pro Vendor Staff module enabled
- Multi-vendor marketplaces relying on Dokan Pro role management
Discovery Timeline
- 2026-07-01 - CVE-2026-12224 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-12224
Vulnerability Analysis
The vulnerability originates in the Dokan Pro Vendor Staff module, which exposes a REST endpoint backed by the update_capabilities() handler. This handler is designed to let vendors adjust the capabilities of their own staff accounts. Instead of restricting assignable values to a predefined set of vendor-scoped capabilities, the handler reads capability strings directly from the JSON request body. It then invokes WP_User::add_cap() on the target vendor_staff user with those attacker-controlled values. Because WordPress capabilities include manage_options, edit_users, and other administrator-level privileges, an authenticated vendor can promote a controlled staff account to full administrator. The attacker then uses that staff account to install plugins, modify content, exfiltrate data, or drop persistent backdoors.
Root Cause
The root cause is missing allowlist validation on user-supplied capability strings. The endpoint enforces authorization by verifying the caller possesses the dokandar capability, which every Vendor holds by default. It does not, however, constrain which capabilities may be granted. Any capability recognized by WordPress core or other installed plugins is accepted and applied verbatim, violating the principle of least privilege.
Attack Vector
Exploitation requires network access to the WordPress REST API and a valid Vendor-level account. On sites that allow open vendor registration, an attacker can self-provision the required access. The attacker then creates or targets an existing vendor_staff user and issues an authenticated request to the update_capabilities REST route, supplying capability strings such as administrator or manage_options. WordPress persists the granted capabilities to the wp_usermeta table, and the staff account gains administrative access on the next authenticated session.
No verified public exploit code is available at the time of publication. Technical details are documented in the Wordfence Vulnerability Report.
Detection Methods for CVE-2026-12224
Indicators of Compromise
- REST API requests to Dokan endpoints containing update_capabilities in the URI, originating from Vendor accounts.
- vendor_staff users with administrator, manage_options, edit_users, or other elevated capabilities in wp_usermeta.
- Unexpected creation of new administrator accounts, plugin installations, or theme edits following vendor activity.
- Outbound connections from the WordPress host to unfamiliar domains shortly after suspicious vendor logins.
Detection Strategies
- Audit the wp_usermeta table for wp_capabilities entries on vendor_staff users that include capabilities outside the expected vendor-staff set.
- Enable WordPress and web server access logging, then alert on POST or PUT requests targeting Dokan update_capabilities REST routes.
- Correlate REST API calls modifying capabilities with subsequent administrative actions from the same account.
Monitoring Recommendations
- Forward WordPress audit logs and web server logs to a centralized SIEM for retention and correlation.
- Monitor for creation of new vendor_staff accounts followed by capability changes within a short time window.
- Track file integrity on wp-content/plugins/ and wp-content/themes/ to detect post-exploitation persistence.
How to Mitigate CVE-2026-12224
Immediate Actions Required
- Update Dokan Pro to a patched release above 5.0.4 as soon as the vendor makes it available. Consult the Dokan Official Website for release notes.
- Disable the Vendor Staff module until the plugin is patched, if the feature is not required.
- Review all vendor_staff and vendor accounts for unexpected capabilities and revoke any elevated privileges.
- Rotate credentials and application passwords for administrator accounts on affected sites.
Patch Information
Dokan Pro releases addressing this vulnerability will supersede version 5.0.4. Refer to the Wordfence Vulnerability Report and vendor advisories for the fixed version identifier and update instructions.
Workarounds
- Disable the Dokan Pro Vendor Staff module through the plugin administration interface.
- Restrict access to the WordPress REST API using a web application firewall rule that blocks unauthenticated and low-privilege requests to Dokan update_capabilities routes.
- Close open vendor registration and require manual approval of new vendor accounts to raise the barrier to exploitation.
- Enforce least-privilege review of custom roles to ensure the dokandar capability is granted only to trusted users.
# Example WAF rule concept to block exploitation attempts
# Deny POST/PUT requests to Dokan capability endpoints that include
# administrator-level capability strings in the JSON body.
SecRule REQUEST_URI "@rx /wp-json/dokan/.*/update_capabilities" \
"id:1029224,phase:2,deny,status:403,\
msg:'Blocked Dokan Pro CVE-2026-12224 exploit attempt',\
chain"
SecRule REQUEST_BODY "@rx (administrator|manage_options|edit_users|promote_users)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

