How is CVE-2026-56033 exploited?

Network reachability (required): The vulnerable plugin is exposed over the network; an attacker must be able to send HTTP requests to the target WordPress site to exploit this vulnerability. Authentication (not-required): No credentials of any kind are needed; the exploit path is fully unauthenticated. Victim interaction (not-required): No action from a logged-in user or administrator is required to trigger the vulnerability. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory layout requirements.

What is the impact of CVE-2026-56033?

A successful attacker escalates their WordPress role to an elevated or administrative level without any prior account access. With elevated privileges, the attacker can read all stored site data including user records, order history, vendor details, and any stored credentials or tokens. The attacker can modify or delete persisted database rows, including product listings, user roles, plugin settings, and site content. The attacker can disable plugins, inject malicious code into theme files, or disrupt site availability entirely.

Back to search

CRITICALCVE-2026-56033Published 2026-06-26Modified 2026-06-26CNA Patchstack

CVE-2026-56033: WordPress Dokan Pro plugin <= 5.0.4 - Privilege Escalation vulnerability

Q: What is CVE-2026-56033?

An unauthenticated privilege escalation vulnerability affects the Dokan Pro WordPress plugin at version 5.0.4 and below. The flaw is reachable over the network and requires no credentials, meaning any external attacker with HTTP access to the WordPress site can exploit it. Successful exploitation allows the attacker to escalate their privileges within the WordPress application, enabling full confidentiality loss, data tampering, and potential service disruption. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-56033 patched?

Because no upstream fix version has been published for CVE-2026-56033, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available immediately once a remediated release is shipped by the Dokan Pro maintainers. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Unauthenticated Privilege Escalation in Dokan Pro <= 5.0.4 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated privilege escalation vulnerability affects the Dokan Pro WordPress plugin at version 5.0.4 and below. The flaw is reachable over the network and requires no credentials, meaning any external attacker with HTTP access to the WordPress site can exploit it. Successful exploitation allows the attacker to escalate their privileges within the WordPress application, enabling full confidentiality loss, data tampering, and potential service disruption. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-56033 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the Dokan Pro plugin. Any image containing an affected version of Dokan Pro (5.0.4 or below) will surface in scan results automatically.

Available

Triage

HarborGuard scores this CVE at 9.8 CRITICAL using the CVSS v3.1 vector and is capable of weighting that score against each customer environment's compliance policy to determine urgency and blast radius. Triage findings can be routed automatically to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published for CVE-2026-56033, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available immediately once a remediated release is shipped by the Dokan Pro maintainers. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin is exposed over the network; an attacker must be able to send HTTP requests to the target WordPress site to exploit this vulnerability.
AuthenticationNot required
No credentials of any kind are needed; the exploit path is fully unauthenticated.
Victim interactionNot required
No action from a logged-in user or administrator is required to trigger the vulnerability.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory layout requirements.

Blast Radius

A successful attacker escalates their WordPress role to an elevated or administrative level without any prior account access.
With elevated privileges, the attacker can read all stored site data including user records, order history, vendor details, and any stored credentials or tokens.
The attacker can modify or delete persisted database rows, including product listings, user roles, plugin settings, and site content.
The attacker can disable plugins, inject malicious code into theme files, or disrupt site availability entirely.

How HarborGuard Handles This

Available on HarborGuard: because no fix version exists for CVE-2026-56033 at this time, HarborGuard monitors the Patchstack advisory feed on every ingest cycle and will surface a patched-image rebuild the moment the Dokan Pro maintainers publish a remediated release. In the interim, compensating controls are worth considering: network-policy rules that restrict public HTTP access to WordPress admin and REST API endpoints can reduce the attack surface, and WAF rules targeting unauthenticated role-manipulation requests provide an additional layer of defense. For customers who opt into auto-remediation, once an upstream fix is available the full flow (rebuild, regression test run, and PR opened against affected workloads) will execute automatically. Given the 9.8 CRITICAL score and zero-credential exploit path, this advisory is surfaced at the highest urgency tier within HarborGuard triage queues.

See how HarborGuard automates this

Affected packages

Dokan Multivendor Plugin / Dokan Pro
≤ 5.0.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified