CVE-2026-3504 Overview
CVE-2026-3504 is an information disclosure vulnerability in the Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress. The flaw affects all versions up to and including 4.3.1. The /dokan/v1/stores/{id}/reviews REST API endpoint exposes reviewer email addresses, usernames, and user IDs in API responses. Unauthenticated attackers can extract personally identifiable information (PII) of all customers who left store reviews. Exploitation requires the Dokan Pro version installed and activated with store reviews enabled. The vulnerability is categorized under [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor].
Critical Impact
Unauthenticated remote attackers can harvest customer email addresses, usernames, and user IDs from any vendor store with reviews enabled, enabling phishing and credential stuffing campaigns.
Affected Products
- Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress (versions ≤ 4.3.1)
- Dokan Pro extension (must be installed and activated)
- WordPress sites with store reviews feature enabled
Discovery Timeline
- 2026-05-02 - CVE-2026-3504 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-3504
Vulnerability Analysis
The vulnerability resides in the StoreController.php file of the dokan-lite plugin, specifically within the prepare_reviews_for_response method. The REST endpoint /dokan/v1/stores/{id}/reviews is publicly accessible without authentication. When the plugin builds the JSON response object, it embeds reviewer fields that should remain server-side only. These fields include the reviewer's email address, WordPress username, and numeric user ID for every comment record returned by the endpoint.
An attacker can iterate through vendor store IDs and collect bulk PII without any credentials. The exposed data enables targeted phishing, account enumeration, and credential stuffing attacks against the marketplace's customer base. The issue only surfaces when the Pro version is active and store reviews are enabled, but those conditions are common in production multivendor deployments.
Root Cause
The root cause is improper output filtering in the response preparation logic. The prepare_reviews_for_response method serializes WordPress comment objects directly into the API response without stripping sensitive author metadata. WordPress comment objects natively contain comment_author_email, user_id, and login data, which the method should redact for unauthenticated callers. Code review references point to lines 125, 835, and 854 of StoreController.php as the relevant locations.
Attack Vector
Exploitation requires only network access to the target WordPress site. An unauthenticated attacker sends a GET request to /wp-json/dokan/v1/stores/{id}/reviews, where {id} is any valid vendor store identifier. The server returns a JSON array containing review records with reviewer email, username, and user ID fields populated. The attacker can script enumeration across all known vendor IDs to harvest the full customer dataset.
No verified exploit code is publicly available. Refer to the Wordfence Vulnerability Report and the WordPress Code Review at Line 125 for technical details.
Detection Methods for CVE-2026-3504
Indicators of Compromise
- Unauthenticated GET requests to /wp-json/dokan/v1/stores/*/reviews from a single source IP enumerating sequential store IDs
- High-volume access patterns to the reviews REST endpoint outside normal browsing behavior
- Outbound API responses containing email, user_login, or user_id fields tied to comment data
Detection Strategies
- Inspect web server access logs for repeated requests to the /dokan/v1/stores/{id}/reviews path with rotating numeric IDs
- Deploy a Web Application Firewall (WAF) rule to flag unauthenticated requests to the Dokan reviews endpoint
- Audit JSON response payloads in egress traffic for reviewer email patterns leaving the application tier
Monitoring Recommendations
- Enable verbose REST API logging in WordPress and forward to a centralized SIEM for correlation
- Track request rates per IP against the /wp-json/dokan/ namespace and alert on anomalous spikes
- Monitor user enumeration patterns by reviewing 200-status responses returning structured user data to anonymous sessions
How to Mitigate CVE-2026-3504
Immediate Actions Required
- Update the Dokan plugin to a version newer than 4.3.1 that incorporates the fix delivered in WordPress Changeset #3481799
- If patching is delayed, disable store reviews in the Dokan Pro settings to remove the exposed data path
- Audit existing review data and notify affected customers if log analysis indicates prior unauthenticated access
Patch Information
The vendor addressed the vulnerability in the changeset published at WordPress Changeset #3481799. The fix modifies the prepare_reviews_for_response method in StoreController.php to omit reviewer email addresses, usernames, and user IDs from the unauthenticated API response. Site administrators should upgrade through the WordPress plugin manager and verify the plugin version reports higher than 4.3.1.
Workarounds
- Restrict access to the /wp-json/dokan/v1/stores/{id}/reviews endpoint at the WAF or reverse proxy layer until the patch is applied
- Temporarily disable the Dokan Pro store reviews feature to eliminate the data exposure entirely
- Apply rate limiting to the WordPress REST API namespace to slow enumeration attempts against vendor stores
# Example nginx configuration to block unauthenticated access to the vulnerable endpoint
location ~ ^/wp-json/dokan/v1/stores/[0-9]+/reviews {
# Require authentication header or block
if ($http_authorization = "") {
return 403;
}
limit_req zone=api_limit burst=5 nodelay;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
