Dokan Pro WordPress Plugin has maximum severity SQL injection vulnerability
Take action: If you are using Dokan Pro plugin, time to act immediately. Apply the patch to test, make a quick round of testing and deploy to production ASAP. Because your website is already visible on the internet and attacks will be automated very quickly.
Learn More
The Dokan Pro plugin for WordPress, which transforms WooCommerce websites into multi-vendor marketplaces similar to Amazon and Etsy, has been found vulnerable to a critical SQL Injection flaw.
The vulnerability, tracked as CVE-2024-3922 (CVSS score 10.0) is an SQL Injection vulnerability caused by insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query, particularly via the 'code' parameter. This flaw allows unauthenticated attackers to append additional SQL queries to existing ones, enabling them to extract sensitive data from the database without needing user credentials.
It affects all versions up to and including 3.10.3
Users are advised to immediately upgrade to version 3.11.0, which addresses and mitigates the vulnerability. Testing updates in a staging environment before deploying live is prudent, but due to the severity, expediting this update is advised.
Currently, only 30.6% of Dokan Pro installations are on the latest, patched version 3.11.0, leaving 69.4% vulnerable.
