WordPress plug-in Dokan Pro: Attackers can take over admin accounts
Online stores based on WordPress with the Dokan Pro plug-in can be targeted by attackers. A security update is available.
(Image: Postmodern Studio/Shutterstock.com)
If the conditions are right, attackers can use the Dokan Pro plug-in to attack WordPress websites in order to take over admin accounts and compromise sites.
The danger
The plug-in is used to set up online stores in which users can register as sellers with their own marketplace stores. Security researchers from Wordfence have now pointed out a security vulnerability (CVE-2025-5931"high") that has since been closed.
However, attackers must already be authenticated in order to launch an attack. If this is the case, they can use the faulty code that allows users to register as marketplace sellers and create a new user with admin rights. They can then set their own password and gain extensive access to the website. This allows them to create backdoors in online stores, for example.
Security patch available
The developers assure us that they have secured version 4.0.6 against the attack described. All previous versions are said to be vulnerable. It is currently unclear whether there are already attacks. Admins of WordPress websites with this plug-in should keep an eye out for unknown accounts in the settings. If they find any, they should delete the accounts immediately.
Videos by heise
Security vulnerabilities in the WordPress plug-in UiCore Elements with around 40,000 active installations were recently closed. At this point, attackers were able to view information on servers that was actually sealed off.
(des)
