CVE-2026-49780: WordPress Dokan plugin <= 5.0.2 - Privilege Escalation vulnerability
Customer Privilege Escalation in Dokan <= 5.0.2 versions.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a privilege escalation vulnerability in the Dokan WordPress plugin, versions 5.0.2 and earlier. It is reachable over the network and requires only a low-privilege account (such as a standard customer account on a marketplace site) to exploit. Successful exploitation allows an attacker to elevate their permissions within the WordPress site, gaining the ability to read, modify, or destroy data and functionality beyond what their account should permit. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-49780 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle the Dokan plugin.
AvailableHarborGuard is capable of scoring this finding at CVSS 8.8 (HIGH) and weighting it against each environment's configured compliance policy. Triage routing is available to direct the alert to the appropriate team inbox within each customer organization.
AvailableNo fix version has been published upstream for this CVE. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment Dokan ships a remediated release. For customers with auto-remediation enabled, a rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the WordPress site over the network; no local or physical access is needed.
- AuthenticationRequired
A low-privilege account (such as a standard customer account on the Dokan marketplace) is sufficient; no admin credentials are needed.
- Victim interactionNot required
No victim action is needed; the attacker can trigger the privilege escalation entirely on their own.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental factors.
Blast Radius
- An attacker elevates their WordPress role beyond the customer level, gaining access to administrative or vendor-level functionality.
- With elevated permissions, the attacker reads sensitive site data including order records, customer personally identifiable information, and stored payment references.
- The attacker can modify or delete product listings, orders, user records, and site configuration.
- Depending on the escalated role, the attacker may install plugins or execute server-side code, potentially leading to full site compromise.
How HarborGuard Handles This
Available on HarborGuard: detection for this CVE is active and matched against any image containing the Dokan plugin at version 5.0.2 or earlier. Because no upstream fix exists yet, HarborGuard monitors the advisory each ingest cycle and will trigger a patched-image rebuild the moment Dokan publishes a remediated version. For customers with auto-remediation enabled, that rebuild will include a regression test run and an automatic PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy rules that restrict wp-admin and vendor dashboard endpoints to known IP ranges, web application firewall rules that enforce role-boundary checks on Dokan REST or AJAX endpoints, and feature-flag gating to disable Dokan vendor registration if new vendor sign-ups are not operationally required.
- Dokan, Inc. / Dokan≤ 5.0.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H