Platform
wordpress
Component
dokan-pro
Fixed in
4.0.6
CVE-2025-5931 is a privilege escalation vulnerability affecting Dokan Pro, a WordPress plugin. This flaw allows authenticated attackers with vendor-level access or higher to escalate their privileges, potentially gaining control of administrator accounts. The vulnerability impacts versions 0.0.0 through 4.0.5, and a fix is available in version 4.0.6.
The primary impact of CVE-2025-5931 is unauthorized account takeover. An attacker with vendor privileges can exploit this vulnerability to modify user passwords, including those of administrators. This grants them complete control over the affected WordPress site, enabling them to modify content, install malicious code, steal sensitive data, and potentially compromise the entire system. Given Dokan Pro's functionality allowing customers to become vendors, a broad range of users could be at risk. The ability to escalate to administrator privileges represents a significant blast radius, potentially impacting all data and functionality associated with the WordPress site.
CVE-2025-5931 was publicly disclosed on August 26, 2025. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's impact and ease of exploitation suggest a potential for active exploitation, particularly given the plugin's popularity. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-5931 is to immediately upgrade Dokan Pro to version 4.0.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting vendor access to only trusted users. Implement strong password policies and multi-factor authentication for all administrator accounts. While a direct WAF rule is unlikely, monitoring for unusual password reset activity and privilege elevation attempts within the WordPress admin interface can provide an early warning system. After upgrading, confirm the fix by attempting a staff password reset with a non-administrator vendor account and verifying that the password change is denied.
Actualice el plugin Dokan Pro a la versión 4.0.6 o superior para mitigar la vulnerabilidad de escalada de privilegios. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de actualizar el plugin.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-5931 is a vulnerability in Dokan Pro WordPress plugin allowing attackers with vendor access to escalate privileges and potentially take over administrator accounts. It affects versions 0.0.0–4.0.5.
If you are using Dokan Pro version 0.0.0 through 4.0.5 on your WordPress site, you are potentially affected by this vulnerability. Check your plugin version immediately.
Upgrade Dokan Pro to version 4.0.6 or later to remediate the vulnerability. If immediate upgrade is not possible, restrict vendor access and implement strong password policies.
While no public exploits are currently known, the vulnerability's impact suggests a potential for active exploitation. Monitor your WordPress site for suspicious activity.
Refer to the official Dokan Pro website and WordPress plugin repository for the latest advisory and update information regarding CVE-2025-5931.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.