プラットフォーム
wordpress
コンポーネント
dokan-pro
修正版
4.0.6
CVE-2025-5931 is a privilege escalation vulnerability affecting Dokan Pro, a WordPress plugin. This flaw allows authenticated attackers with vendor-level access or higher to escalate their privileges, potentially gaining control of administrator accounts. The vulnerability impacts versions 0.0.0 through 4.0.5, and a fix is available in version 4.0.6.
The primary impact of CVE-2025-5931 is unauthorized account takeover. An attacker with vendor privileges can exploit this vulnerability to modify user passwords, including those of administrators. This grants them complete control over the affected WordPress site, enabling them to modify content, install malicious code, steal sensitive data, and potentially compromise the entire system. Given Dokan Pro's functionality allowing customers to become vendors, a broad range of users could be at risk. The ability to escalate to administrator privileges represents a significant blast radius, potentially impacting all data and functionality associated with the WordPress site.
CVE-2025-5931 was publicly disclosed on August 26, 2025. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's impact and ease of exploitation suggest a potential for active exploitation, particularly given the plugin's popularity. It is not currently listed on the CISA KEV catalog.
Websites utilizing Dokan Pro for multi-vendor marketplace functionality are at risk, particularly those with a large number of vendors or lax vendor access controls. Shared hosting environments where multiple WordPress sites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to lateral movement and exploitation of other sites running vulnerable versions of Dokan Pro.
• wordpress / composer / npm:
grep -r 'wp_update_user' /var/www/html/wp-content/plugins/dokan-pro/• wordpress / composer / npm:
wp plugin list | grep dokan-pro• wordpress / composer / npm:
wp plugin status dokan-pro• wordpress / composer / npm:
wp option get dokan_pro_versiondisclosure
エクスプロイト状況
EPSS
0.06% (19% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-5931 is to immediately upgrade Dokan Pro to version 4.0.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting vendor access to only trusted users. Implement strong password policies and multi-factor authentication for all administrator accounts. While a direct WAF rule is unlikely, monitoring for unusual password reset activity and privilege elevation attempts within the WordPress admin interface can provide an early warning system. After upgrading, confirm the fix by attempting a staff password reset with a non-administrator vendor account and verifying that the password change is denied.
Actualice el plugin Dokan Pro a la versión 4.0.6 o superior para mitigar la vulnerabilidad de escalada de privilegios. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de actualizar el plugin.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-5931 is a vulnerability in Dokan Pro WordPress plugin allowing attackers with vendor access to escalate privileges and potentially take over administrator accounts. It affects versions 0.0.0–4.0.5.
If you are using Dokan Pro version 0.0.0 through 4.0.5 on your WordPress site, you are potentially affected by this vulnerability. Check your plugin version immediately.
Upgrade Dokan Pro to version 4.0.6 or later to remediate the vulnerability. If immediate upgrade is not possible, restrict vendor access and implement strong password policies.
While no public exploits are currently known, the vulnerability's impact suggests a potential for active exploitation. Monitor your WordPress site for suspicious activity.
Refer to the official Dokan Pro website and WordPress plugin repository for the latest advisory and update information regarding CVE-2025-5931.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。