REPORT / 01
Analysis Report · Folder Analysis cache/dokan-lite_4.2.4 → cache/dokan-lite_4.2.5 — CVE-2025-14977
Shared security patch analysis results
02 ·
Lifecycle actions
cancel · resume · skip · regenerate
03 ·
Share this analysis
copy link · embed report
03 ·
CVE Security Analysis & Writeups
ai-generated · per cve
Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.
CVE-2025-14977
NVD
AI-Generated Analysis
05 ·
Findings
filter · search · paginate
Showing 0 to 0 of 0 results
includes/REST/StoreController.php
AI: 4 vulnerabilities
1 false positive, 3 true positives
CVE-2025-14977
--- cache/dokan-lite_4.2.4/includes/REST/StoreController.php 2026-01-20 00:24:23.992116193 +0000+++ cache/dokan-lite_4.2.5/includes/REST/StoreController.php 2026-01-20 00:29:25.454831595 +0000@@ -2,6 +2,7 @@ namespace WeDevs\Dokan\REST; +use WeDevs\Dokan\Traits\VendorAuthorizable; use WeDevs\Dokan\Vendor\Vendor; use WP_Error; use WP_Query;@@ -18,6 +19,7 @@ * @author weDevs <[email protected]> */ class StoreController extends WP_REST_Controller {+ use VendorAuthorizable; /** * Endpoint namespace@@ -62,7 +64,7 @@ 'description' => __( 'Unique identifier for the object.', 'dokan-lite' ), 'type' => 'integer', 'sanitize_callback' => 'absint',- 'validate_callback' => 'dokan_rest_validate_store_id',+ 'validate_callback' => [ $this, 'validate_store_id' ], ], ], [@@ -304,6 +306,12 @@ /** * Get singe store *+ * Public endpoint: Returns public data for all users/guests (respecting admin settings).+ * Sensitive data is only returned for authorized users (vendor, vendor staff, or admin).+ *+ * For vendor staff accessing via their own ID, the vendor ID is resolved to show their vendor's store.+ * Vendors and vendor staff attempting to access another vendor's store will be blocked (403).+ * * @since 1.0.0 * * @param $request@@ -311,9 +319,18 @@ * @return WP_Error|WP_REST_Response */ public function get_store( $request ) {- $store_id = (int) $request['id'];+ $requested_id = absint( $request->get_param( 'id' ) ); - $store = dokan()->vendor->get( $store_id );+ $store_id = $this->get_vendor_id_for_user( $requested_id );+ $store = dokan()->vendor->get( $store_id );++ if ( ! $store || ! $store->get_id() ) {+ return new WP_Error(+ 'dokan_rest_store_not_found',+ __( 'Store not found.', 'dokan-lite' ),+ [ 'status' => 404 ]+ );+ } $stores_data = $this->prepare_item_for_response( $store, $request ); $response = rest_ensure_response( $stores_data );@@ -357,13 +374,12 @@ * @return bool */ public function update_store_permissions_check( $request ) {- if ( current_user_can( 'manage_woocommerce' ) ) {- return true;- }+ $requested_id = absint( $request->get_param( 'id' ) ); - if ( current_user_can( 'dokandar' ) ) {- return dokan_get_current_user_id() === absint( $request->get_param( 'id' ) );- }+ // Resolve vendor ID: handles both vendor IDs and vendor staff IDs+ $store_id = $this->get_vendor_id_for_user( $requested_id );++ return $this->can_access_vendor_store( $store_id ); } /**@@ -376,17 +392,54 @@ * @return WP_Error|WP_REST_Response */ public function update_store( $request ) {- $store = dokan()->vendor->get( (int) $request->get_param( 'id' ) );+ $requested_id = absint( $request->get_param( 'id' ) ); - $params = $request->get_params();- $store_id = dokan()->vendor->update( $store->get_id(), $params );+ // Resolve vendor ID: handles both vendor IDs and vendor staff IDs+ $store_id = $this->get_vendor_id_for_user( $requested_id ); - if ( is_wp_error( $store_id ) ) {- return new WP_Error( $store_id->get_error_code(), $store_id->get_error_message() );+ if ( ! $store_id ) {+ return new WP_Error(+ 'dokan_rest_store_not_found',+ __( 'Store not found.', 'dokan-lite' ),+ [ 'status' => 404 ]+ ); } $store = dokan()->vendor->get( $store_id ); + if ( ! $store || ! $store->get_id() ) {+ return new WP_Error(+ 'dokan_rest_store_not_found',+ __( 'Store not found.', 'dokan-lite' ),+ [ 'status' => 404 ]+ );+ }+ if ( ! $this->can_access_vendor_store( $store->get_id() ) ) {+ return new WP_Error(+ 'dokan_rest_store_cannot_access',+ __( 'You do not have permission to access this store.', 'dokan-lite' ),+ [ 'status' => 403 ]+ );+ }++ $params = $request->get_params();++ $restricted_fields = $this->get_restricted_fields_for_update( $store, $request );++ foreach ( $restricted_fields as $field ) {+ if ( isset( $params[ $field ] ) ) {+ unset( $params[ $field ] );+ }+ }++ $updated_store_id = dokan()->vendor->update( $store->get_id(), $params );++ if ( is_wp_error( $updated_store_id ) ) {+ return new WP_Error( $updated_store_id->get_error_code(), $updated_store_id->get_error_message() );+ }++ $store = dokan()->vendor->get( $updated_store_id );+ do_action( 'dokan_rest_stores_update_store', $store, $request ); $stores_data = $this->prepare_item_for_response( $store, $request );@@ -396,6 +449,43 @@ } /**+ * Get restricted fields for store update based on user role.+ *+ * @since 4.2.5+ *+ * @param \WeDevs\Dokan\Vendor\Vendor $store Store object.+ * @param \WP_REST_Request $request Request object.+ *+ * @return array Array of restricted field names.+ */+ protected function get_restricted_fields_for_update( $store, $request ) {+ $is_admin = current_user_can( 'manage_options' );+ $is_vendor = dokan_is_user_seller( get_current_user_id(), true );+ $restricted_fields = [];++ if ( ! $is_admin && ! $is_vendor ) {+ $staff_restricted_fields = [+ 'email',+ 'password',+ ];+ array_push( $restricted_fields, ...$staff_restricted_fields );+ }++ if ( ! $is_admin ) {+ $vendor_restricted_fields = [+ 'dokan_admin_percentage',+ 'dokan_admin_percentage_type',+ 'dokan_admin_additional_fee',+ 'admin_category_commission',+ ];++ array_push( $restricted_fields, ...$vendor_restricted_fields );+ }++ return apply_filters( 'dokan_rest_store_restricted_fields_for_update', $restricted_fields, $store, $request );+ }++ /** * Create store * * @param $request@@ -623,22 +713,35 @@ /** * Prepare a single user output for response *+ * Public data is returned for all users/guests (respecting admin settings for hiding vendor info).+ * Sensitive data is only returned for authorized users (vendor, vendor staff, or admin).+ * * @param Vendor $store * @param WP_REST_Request $request Request object. * @param array $additional_fields (optional)+ * @param bool $is_authorized (optional) Whether the current user is authorized to view sensitive data. * * @return WP_REST_Response $response Response data. */ public function prepare_item_for_response( $store, $request, $additional_fields = [] ) { $data = $store->to_array(); - $commission_settings = $store->get_commission_settings();- $data['admin_category_commission'] = $commission_settings->get_category_commissions();- $data['admin_commission'] = $commission_settings->get_percentage();- $data['admin_additional_fee'] = $commission_settings->get_flat();- $data['admin_commission_type'] = $commission_settings->get_type();+ $is_authorized = $this->can_access_vendor_store( $store->get_id() ); - $data = array_merge( $data, apply_filters( 'dokan_rest_store_additional_fields', $additional_fields, $store, $request ) );+ if ( $is_authorized ) {+ $data['admin_category_commission'] = $store->get_commission_settings()->get_category_commissions();+ $data['admin_commission'] = $store->get_commission_settings()->get_percentage();+ $data['admin_additional_fee'] = $store->get_commission_settings()->get_flat();+ $data['admin_commission_type'] = $store->get_commission_settings()->get_type();+ }++ $restricted_fields = $this->get_restricted_fields_for_view( $store, $request );++ foreach ( $restricted_fields as $field ) {+ unset( $data[ $field ] );+ }++ $data = array_merge( $data, apply_filters( 'dokan_rest_store_additional_fields', $additional_fields, $store, $request, $is_authorized ) ); $response = rest_ensure_response( $data ); $response->add_links( $this->prepare_links( $data, $request ) ); @@ -646,6 +749,61 @@ } /**+ * Get restricted fields for store view based on user authorization.+ *+ * Determines which fields should be hidden from the store data response based on:+ * - User authorization status (authorized users see more data)+ * - User role (vendor staff cannot see admin commission data)+ * - Admin settings (for hiding vendor info like address, phone, email)+ * - Vendor preferences (vendor can choose to hide email)+ *+ * @since 4.2.5+ *+ * @param \WeDevs\Dokan\Vendor\Vendor $store Store object.+ * @param \WP_REST_Request $request Request object.+ *+ * @return array Array of restricted field names that should be removed from the response.+ */+ protected function get_restricted_fields_for_view( $store, $request ) {+ $restricted_fields = [];++ $is_authorized = $this->can_access_vendor_store( $store->get_id() );++ $is_admin = current_user_can( 'manage_options' );++ // Restrict admin commission fields for all except admins and vendor only+ if ( ! $is_admin && ! dokan_is_user_seller( get_current_user_id(), true ) ) {+ $restricted_fields[] = 'admin_category_commission';+ $restricted_fields[] = 'admin_commission';+ $restricted_fields[] = 'admin_additional_fee';+ $restricted_fields[] = 'admin_commission_type';+ }++ // Additional restrictions for unauthorized users (public access)+ if ( ! $is_authorized ) {+ // Respect admin settings for hiding vendor info+ if ( dokan_is_vendor_info_hidden( 'address' ) ) {+ $restricted_fields[] = 'address';+ }++ if ( dokan_is_vendor_info_hidden( 'phone' ) ) {+ $restricted_fields[] = 'phone';+ }++ // Hide email if admin setting hides it OR vendor doesn't want to show it+ if ( dokan_is_vendor_info_hidden( 'email' ) || ! $store->show_email() ) {+ $restricted_fields[] = 'email';+ }++ // Always hide sensitive payment and store status data from public+ $restricted_fields[] = 'payment';+ $restricted_fields[] = 'enabled';+ }++ return apply_filters( 'dokan_rest_store_restricted_fields_for_view', $restricted_fields, $store, $request );+ }++ /** * Prepare a single user output for response * * @param object $item
AI Analysis
Now let me analyze the key changes:
## Security Analysis of StoreController.php Diff
**Vulnerability 1: Insufficient Authorization in get_store() and get_store_permissions_check()**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Access Control (CWE-284) - CWE-284 - includes/REST/StoreController.php [313-322 → 321-338]
Old Code:
```php
public function get_store( $request ) {
$store_id = (int) $request['id'];
$store = dokan()->vendor->get( $store_id );
$stores_data = $this->prepare_item_for_response( $store, $request );
$response = rest_ensure_response( $stores_data );
return $response;
}
```
Fixed Code:
```php
public function get_store( $request ) {
$requested_id = absint( $request->get_param( 'id' ) );
$store_id = $this->get_vendor_id_for_user( $requested_id );
$store = dokan()->vendor->get( $store_id );
if ( ! $store || ! $store->get_id() ) {
return new WP_Error(
'dokan_rest_store_not_found',
__( 'Store not found.', 'dokan-lite' ),
[ 'status' => 404 ]
);
}
$stores_data = $this->prepare_item_for_response( $store, $request );
$response = rest_ensure_response( $stores_data );
return $response;
}
```
Explanation:
The old implementation allowed any authenticated or unauthenticated user (as `permission_callback` is `__return_true`) to retrieve store information by vendor ID without checking authorization. The new code implements role-based access control through `get_vendor_id_for_user()` and `can_access_vendor_store()` methods, which resolve vendor staff IDs to their parent vendor and enforce proper authorization checks before returning sensitive data.
---
**Vulnerability 2: Insufficient Authorization in update_store_permissions_check() and update_store()**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Access Control (CWE-284) - CWE-284 - includes/REST/StoreController.php [359-367 → 376-382]
Old Code:
```php
public function update_store_permissions_check( $request ) {
if ( current_user_can( 'manage_woocommerce' ) ) {
return true;
}
if ( current_user_can( 'dokandar' ) ) {
return dokan_get_current_user_id() === absint( $request->get_param( 'id' ) );
}
}
```
Fixed Code:
```php
public function update_store_permissions_check( $request ) {
$requested_id = absint( $request->get_param( 'id' ) );
// Resolve vendor ID: handles both vendor IDs and vendor staff IDs
$store_id = $this->get_vendor_id_for_user( $requested_id );
return $this->can_access_vendor_store( $store_id );
}
```
Explanation:
The old code only checked if the user ID matched the requested vendor ID, which doesn't account for vendor staff members. The fixed code resolves vendor staff IDs to their parent vendor ID and uses the new `can_access_vendor_store()` method to properly determine authorization, allowing vendors and their staff to access their own store while preventing cross-vendor access.
---
**Vulnerability 3: Missing Update Restriction in update_store()**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation (CWE-20) / Authorization (CWE-284) - CWE-20, CWE-284 - includes/REST/StoreController.php [378-396 → 392-449]
Old Code:
```php
public function update_store( $request ) {
$store = dokan()->vendor->get( (int) $request->get_param( 'id' ) );
$params = $request->get_params();
$store_id = dokan()->vendor->update( $store->get_id(), $params );
if ( is_wp_error( $store_id ) ) {
return new WP_Error( $store_id->get_error_code(), $store_id->get_error_message() );
}
$store = dokan()->vendor->get( $store_id );
do_action( 'dokan_rest_stores_update_store', $store, $request );
$stores_data = $this->prepare_item_for_response( $store, $request );
$response = rest_ensure_response( $stores_data );
return $response;
}
```
Fixed Code:
```php
public function update_store( $request ) {
$requested_id = absint( $request->get_param( 'id' ) );
// Resolve vendor ID: handles both vendor IDs and vendor staff IDs
$store_id = $this->get_vendor_id_for_user( $requested_id );
if ( ! $store_id ) {
return new WP_Error(
'dokan_rest_store_not_found',
__( 'Store not found.', 'dokan-lite' ),
[ 'status' => 404 ]
);
}
$store = dokan()->vendor->get( $store_id );
if ( ! $store || ! $store->get_id() ) {
return new WP_Error(
'dokan_rest_store_not_found',
__( 'Store not found.', 'dokan-lite' ),
[ 'status' => 404 ]
);
}
if ( ! $this->can_access_vendor_store( $store->get_id() ) ) {
return new WP_Error(
'dokan_rest_store_cannot_access',
__( 'You do not have permission to access this store.', 'dokan-lite' ),
[ 'status' => 403 ]
);
}
$params = $request->get_params();
$restricted_fields = $this->get_restricted_fields_for_update( $store, $request );
foreach ( $restricted_fields as $field ) {
if ( isset( $params[ $field ] ) ) {
unset( $params[ $field ] );
}
}
$updated_store_id = dokan()->vendor->update( $store->get_id(), $params );
if ( is_wp_error( $updated_store_id ) ) {
return new WP_Error( $updated_store_id->get_error_code(), $updated_store_id->get_error_message() );
}
$store = dokan()->vendor->get( $updated_store_id );
do_action( 'dokan_rest_stores_update_store', $store, $request );
$stores_data = $this->prepare_item_for_response( $store, $request );
$response = rest_ensure_response( $stores_data );
return $response;
}
```
Explanation:
The old code accepted all request parameters without filtering, allowing vendor staff and non-admin users to modify sensitive fields like commission percentages and payment settings. The new code uses `get_restricted_fields_for_update()` to filter out restricted fields based on the user's role (admin-only fields are removed for non-admin users, vendor staff cannot modify email/password), preventing privilege escalation.
---
**Vulnerability 4: Information Disclosure in prepare_item_for_response()**
Vulnerability Existed: yes
TRUE POSITIVE
Information Exposure Through Query Strings (CWE-598) / Improper Authorization (CWE-284) - CWE-598, CWE-284 - includes/REST/StoreController.php [632-646 → 720-802]
Old Code:
```php
public function prepare_item_for_response( $store, $request, $additional_fields = [] ) {
$data = $store->to_array();
$commission_settings = $store->get_commission_settings();
$data['admin_category_commission'] = $commission_settings->get_category_commissions();
$data['admin_commission'] = $commission_settings->get_percentage();
$data['admin_additional_fee'] = $commission_settings->get_flat();
$data['admin_commission_type'] = $commission_settings->get_type();
$data = array_merge( $data, apply_filters( 'dokan_rest_store_additional_fields', $additional_fields, $store, $request ) );
$response = rest_ensure_response( $data );
$response->add_links( $this->prepare_links( $data, $request ) );
return apply_filters( 'dokan_rest_prepare_store_item_for_response', $response );
}
```
Fixed Code:
```php
public function prepare_item_for_response( $store, $request, $additional_fields = [] ) {
$data = $store->to_array();
$is_authorized = $this->can_access_vendor_store( $store->get_id() );
if ( $is_authorized ) {
$data['admin_category_commission'] = $store->get_commission_settings()->get_category_commissions();
$data['admin_commission'] = $store->get_commission_settings()->get_percentage();
$data['admin_additional_fee'] = $store->get_commission_settings()->get_flat();
$data['admin_commission_type'] = $store->get_commission_settings()->get_type();
}
$restricted_fields = $this->get_restricted_fields_for_view( $store, $request );
foreach ( $restricted_fields as $field ) {
unset( $data[ $field ] );
}
$data = array_merge( $data, apply_filters( 'dokan_rest_store_additional_fields', $additional_fields, $store, $request, $is_authorized ) );
$response = rest_ensure_response( $data );
$response->add_links( $this->prepare_links( $data, $request ) );
return apply_filters( 'dokan_rest_prepare_store_item_for_response', $response );
}
```
Explanation:
The old code always returned sensitive admin commission data in store responses, exposing financial information to unauthorized users. The new code checks authorization before including commission data and uses `get_restricted_fields_for_view()` to conditionally remove sensitive fields (admin commissions, email, phone, address, payment data) based on user role and authorization status, respecting admin settings for hiding vendor information.
CVE Analysis Results:
CVE-2025-14977: Yes
View CVE Description
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. This makes it possible for authenticated attackers, with customer-level permissions and above, to read or modify other vendors' store settings including sensitive payment information (PayPal email, bank account details, routing numbers, IBAN, SWIFT codes), phone numbers, and addresses, and change PayPal email addresses to attacker-controlled addresses, enabling financial theft when the marketplace processes payouts.
includes/REST/StoreSettingController.php
AI: Not Sure
1 false positive, 1 true positive
CVE-2025-14977
--- cache/dokan-lite_4.2.4/includes/REST/StoreSettingController.php 2026-01-20 00:24:24.000116688 +0000+++ cache/dokan-lite_4.2.5/includes/REST/StoreSettingController.php 2026-01-20 00:29:25.454831595 +0000@@ -9,12 +9,11 @@ /** * StoreSettings API Controller- * * @package dokan * * @author weDevs <[email protected]> */-class StoreSettingController extends WP_REST_Controller {+class StoreSettingController extends StoreController { /** * Endpoint namespace *@@ -83,44 +82,31 @@ * @return WP_Error|\WP_REST_Response */ public function update_settings( $request ) {- $vendor = $this->get_vendor( $request );- $params = $request->get_params();- $store_id = dokan()->vendor->update( $vendor->get_id(), $params );+ $vendor_id = (int) $request->get_param( 'vendor_id' );+ $request->set_param( 'id', $vendor_id );+ $response = parent::update_store( $request ); - if ( is_wp_error( $store_id ) ) {- return new WP_Error( $store_id->get_error_code(), $store_id->get_error_message() );+ if ( is_wp_error( $response ) ) {+ return $response; } - $store = dokan()->vendor->get( $store_id );+ $store = dokan()->vendor->get( $vendor_id ); do_action( 'dokan_rest_store_settings_after_update', $store, $request ); - $stores_data = $this->prepare_item_for_response( $store, $request );- $response = rest_ensure_response( $stores_data );- return $response; } /**- * @param $request+ * @param \WP_REST_Request $request * * @return mixed|WP_Error|\WP_HTTP_Response|\WP_REST_Response */ public function get_settings( $request ) {- $vendor = $this->get_vendor( $request );- $response = dokan_get_store_info( $vendor->id );-- $methods_data = dokan_get_container()->get( 'dashboard' )->templates->settings->get_seller_payment_methods( $vendor->get_id() );-- $response['bank_payment_required_fields'] = dokan_bank_payment_required_fields();- $response['active_payment_methods'] = $methods_data['active_methods'] ?? [];- $response['connected_methods'] = $methods_data['connected_methods'] ?? [];- $response['disconnected_methods'] = $methods_data['disconnected_methods'] ?? [];- $response['withdraw_options'] = dokan_withdraw_get_methods();- $response['fields_placeholders'] = dokan_bank_payment_fields_placeholders();- $response['chargeable_methods'] = dokan_withdraw_get_chargeable_methods();+ $vendor_id = (int) $request->get_param( 'vendor_id' );+ $request->set_param( 'id', $vendor_id ); - return rest_ensure_response( $response );+ return parent::get_store( $request ); } /**@@ -199,7 +185,8 @@ * @return \WP_REST_Response $response Response data. */ public function prepare_item_for_response( $store, $request, $additional_fields = [] ) {- $data = $store->to_array();+ $response = parent::prepare_item_for_response( $store, $request, $additional_fields );+ $data = $response->get_data(); $data = array_merge( $data, apply_filters( 'dokan_rest_store_settings_additional_fields', $additional_fields, $store, $request ) ); $response = rest_ensure_response( $data ); $response->add_links( $this->prepare_links( $data, $request ) );
AI Analysis
# Security Analysis: StoreSettingController.php Diff --- **Vulnerability 1:** Vulnerability Existed: **yes** TRUE POSITIVE **Improper Input Validation - CWE-20** - CWE-20 - includes/REST/StoreSettingController.php - Lines 85-86 **Old Code:** ```php $vendor = $this->get_vendor( $request ); $params = $request->get_params(); $store_id = dokan()->vendor->update( $vendor->get_id(), $params ); ``` **Fixed Code:** ```php $vendor_id = (int) $request->get_param( 'vendor_id' ); $request->set_param( 'id', $vendor_id ); $response = parent::update_store( $request ); ``` Explanation: The old code directly passed all request parameters (`$request->get_params()`) to the vendor update function without validation or sanitization. This creates an **Improper Input Validation** vulnerability (CWE-20) where unvalidated, unsanitized user input could be used to modify vendor data beyond intended fields. The fix explicitly extracts and type-casts the `vendor_id` parameter as an integer, ensuring only validated input is used. This demonstrates proper input validation by whitelist approach - only the specific required parameter is accepted and cast to a known-safe type. --- **Vulnerability 2:** Vulnerability Existed: **yes** FALSE POSITIVE **Missing Authorization Check - CWE-639** - CWE-639 - includes/REST/StoreSettingController.php - Lines 85-86 **Old Code:** ```php $vendor = $this->get_vendor( $request ); ``` **Fixed Code:** ```php $vendor_id = (int) $request->get_param( 'vendor_id' ); $request->set_param( 'id', $vendor_id ); $response = parent::update_store( $request ); ``` Explanation: The old code called `$this->get_vendor( $request )` which likely performed authorization checks. The new code delegates to `parent::update_store( $request )`, which (inheriting from `StoreController`) should contain the proper authorization logic. The vulnerability existed because the old implementation's authorization mechanism may have been incomplete or bypassed. The fix ensures authorization is properly enforced through the parent class's `update_store()` method, which should validate that the requesting user has permission to update the specified vendor's store settings. --- **Vulnerability 3:** Vulnerability Existed: **not sure** **Information Disclosure via Overprivileged Data Retrieval - CWE-639** - CWE-639 - includes/REST/StoreSettingController.php - Lines 108-121 **Old Code:** ```php $vendor = $this->get_vendor( $request ); $response = dokan_get_store_info( $vendor->id ); $methods_data = dokan_get_container()->get( 'dashboard' )->templates->settings->get_seller_payment_methods( $vendor->get_id() ); $response['bank_payment_required_fields'] = dokan_bank_payment_required_fields(); $response['active_payment_methods'] = $methods_data['active_methods'] ?? []; $response['connected_methods'] = $methods_data['connected_methods'] ?? []; $response['disconnected_methods'] = $methods_data['disconnected_methods'] ?? []; $response['withdraw_options'] = dokan_withdraw_get_methods(); $response['fields_placeholders'] = dokan_bank_payment_fields_placeholders(); $response['chargeable_methods'] = dokan_withdraw_get_chargeable_methods(); ``` **Fixed Code:** ```php $vendor_id = (int) $request->get_param( 'vendor_id' ); $request->set_param( 'id', $vendor_id ); return parent::get_store( $request ); ``` Explanation: The old code retrieved sensitive payment method and bank account information directly without explicit authorization context. The uncertainty stems from not knowing whether the parent class's `get_store()` method properly filters sensitive data based on user permissions. If the parent implementation includes proper authorization and field-level access control, this fix eliminates information disclosure risk. However, if sensitive payment data is still returned without authorization checks in the parent method, the vulnerability persists. The fix is a positive step toward delegating responsibility to the base controller, but security depends on proper implementation in `StoreController::get_store()`.
CVE Analysis Results:
CVE-2025-14977: Yes
View CVE Description
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. This makes it possible for authenticated attackers, with customer-level permissions and above, to read or modify other vendors' store settings including sensitive payment information (PayPal email, bank account details, routing numbers, IBAN, SWIFT codes), phone numbers, and addresses, and change PayPal email addresses to attacker-controlled addresses, enabling financial theft when the marketplace processes payouts.
Showing 1 to 2 of 2 results