CVE-2026-3504

MEDIUM 5.3

Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 4.3.1 - Unauthenticated Information Disclosure in Store Reviews REST API Endpoint

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.1 via the '/dokan/v1/stores/{id}/reviews' REST API endpoint. This is due to the 'prepare_reviews_for_response' method including reviewer email addresses, usernames, and user IDs in the API response. This makes it possible for unauthenticated attackers to extract email addresses, usernames, and user IDs of all customers who left reviews on any vendor's store. The Pro version of the plugin must be installed and activated, with store reviews enabled, in order to exploit the vulnerability.

CWE	CWE-200
Vendor	dokaninc
Product	dokan: ai powered woocommerce multivendor marketplace solution – build your own amazon, ebay, etsy
Published	May 2, 2026

Stay Ahead of the Next One

Get instant alerts for dokaninc dokan: ai powered woocommerce multivendor marketplace solution – build your own amazon, ebay, etsy

Be the first to know when new medium vulnerabilities affecting dokaninc dokan: ai powered woocommerce multivendor marketplace solution – build your own amazon, ebay, etsy are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

dokaninc / Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy

0 ≤ 4.3.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

Credits

Rafshanzani Suhada