Dokan: AI Powered WooCommerce Multivendor Marketplace Solution < 4.3.2 – Unauthenticated Information Disclosure in Store Reviews REST API Endpoint | CVE 2026-3504 | Plugin Vulnerabilities

Description

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.1 via the '/dokan/v1/stores/{id}/reviews' REST API endpoint. This is due to the 'prepare_reviews_for_response' method including reviewer email addresses, usernames, and user IDs in the API response. This makes it possible for unauthenticated attackers to extract email addresses, usernames, and user IDs of all customers who left reviews on any vendor's store. The Pro version of the plugin must be installed and activated, with store reviews enabled, in order to exploit the vulnerability.

Affects Plugins

Fixed in 4.3.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/02b0d7d7-8a10-48de-b1e1-7e1f1fda6ffe

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Rafshanzani Suhada

Verified

No

WPVDB ID

bc767ced-b2a3-4e03-939f-4a467b824780

Timeline

Publicly Published

2026-05-01 (about 1 month ago)

Added

2026-05-02 (about 1 month ago)

Last Updated

2026-05-02 (about 1 month ago)

Other

Published

Title

Published

2025-12-15

Title

Fancy Product Designer | WooCommerce WordPress < 6.5.0 - Unauthenticated Information Disclosure and PHAR Deserialization via 'url' Parameter

Published

2023-12-27

Title

Product Catalog Simple < 1.7.7 - Sensitive Information Exposure via Product CSV

Published

2023-11-28

Title

WP Retina 2x < 6.4.6 - Sensitive Information Exposure

Published

2024-11-04

Title

Ultimate Bootstrap Elements for Elementor < 1.4.7 - Authenticated (Contributor+) Sensitive Information Exposure

Published

2024-10-09

Title

Keep Backup Daily <= 2.1.2 - Unauthenticated Information Disclosure