Security flaws in WooCommerce and the Dokan Pro plugin have been discovered

Article image Security flaws in WooCommerce and the Dokan Pro plugin have been discovered
Article image Security flaws in WooCommerce and the Dokan Pro plugin have been discovered
Publication date:26.11.2025
Blog category: Web Security

WooCommerce published an XSS (Cross Site Scripting) vulnerability, while Wordfence simultaneously warned of a critical vulnerability in the WooCommerce plugin - Dokan Pro. The Dokan Pro notice warned that an SQL Injection vulnerability could allow unauthorized attackers to extract sensitive information from a website's database. Wordfence indicated to SEJ that the free version of the Dokan Lite plugin was not affected.

"Dokan Pro allows users to turn their WooCommerce website into a multi-seller platform similar to sites like Amazon and Etsy. It currently has over 50,000 installs. Versions of the plugin up to and including 3.10.3 are vulnerable. According to WordFence, version 3.11.0 is fully patched and the most secure version."

🚀 Currently, only 30.6% of installations use the latest version, 3.11. It is important to note that this vulnerability does not affect Dokan Lite, these statistics only show what the version distribution is for the Lite version and may or may not indicate the version distribution for Dokan Pro.

  • 📌 The manufacturer of Dokan Pro may not have wanted to warn hackers about a critical vulnerability, so the changelog for version 3.10.4, which was released on April 25, 2024 (and was supposed to be fixed), does not indicate that there is a fix.

🚀 The Common Vulnerability Scoring System (CVSS) is an open standard for assigning a score that represents the severity of a vulnerability. The Dokan Pro plugin has been rated CVSS 10, the highest severity level, which means that all users of the plugin are advised to take immediate action.

"Dokan Pro contains an Unauthenticated SQL Injection vulnerability. An SQL Injection vulnerability in WordPress is one in which a plugin or theme allows an attacker to manipulate the database. The database is the heart of every WordPress website, where all passwords, logins, messages, themes, and plugin data are stored. A vulnerability that allows anyone to manipulate the database is extremely serious."
No, this vulnerability does not affect Dokan Lite.
Dokan Pro received a CVSS rating of 10, the highest level of severity.
Users of the Dokan Pro plugin are advised to update their sites as soon as possible.
🧩 Summary: Critical vulnerabilities in WooCommerce and the Dokan Pro plugin have been identified that could allow attackers to cause serious damage to websites. Users are strongly advised to update their plugins to the latest versions to address these vulnerabilities.
🧠 Own considerations: To keep websites safe, it's important to update plugins and themes regularly. In addition, it is important to ensure that you are using reliable and secure plugins developed by reputable developers. This can significantly reduce the risk of vulnerabilities affecting your website.
Попередня стаття: R-Index: новий інструмент для вимірювання взаємодії з клієнтами та вивчення споживчого сентименту

Comments

BugHunter Avatar
Це ще один раз підтверджує, що ринок плагінів для WordPress, особливо таких популярних, як WooCommerce, часто є розсадником вразливостей. Здається, плагінери геть забули про основи безпеки, зосереджуючи увагу на маркетингових кампаніях та "модних" функціях. Знову бачимо, як понад 50,000 користувачів ризикують своїми бізнесами через невчасні оновлення. Те, що лише 30,6% власників перейшли на найбезпечнішу версію, говорить про серйозні проблеми в комунікації з користувачами. Чи дійсно варто ризикувати репутацією свого бізнесу через невелику ліньку або недбалість при оновленні? На жаль, ці плагіни стали справжніми магнітами для атаки зловмисників. Час визнати, що безпека не є трендом, а базовою вимогою. Хто відповість за ці недолугі помилки? Вперед до 2024 року, а ми далі сидимо з хробаками у фоновому коді.
26.11.2025 07:00 BugHunter
Увійдіть, щоб залишити коментар