This website uses cookies

Our website, platform and/or any sub domains use cookies to understand how you use our services, and to improve both your experience and our marketing relevance.

🔊 Web Growth Summit is here! Learn from industry experts on July 17-18, 2024. REGISTER NOW→

Vulnerabilities Discovered in WooCommerce and Dokan Pro Plugins

Updated on June 13, 2024

2 Min Read
Vulnerabilities Discovered in WooCommerce and Dokan Pro Plugins


WooCommerce has issued an advisory about an XSS vulnerability, while Wordfence simultaneously flagged a critical flaw in the Dokan Pro WooCommerce plugin. This vulnerability, identified as a SQL Injection issue, enables unauthenticated attackers to extract sensitive information from a website’s database.

via GIPHY

The Dokan Pro plugin, which converts WooCommerce websites into multi-vendor marketplaces akin to Amazon and Etsy, has over 50,000 installations. Versions up to and including 3.10.3 are vulnerable, according to Wordfence, with version 3.11.0 being the fully patched and safest release. Despite this, only 30.6% of installations are using the most updated version, leaving 69.4% of all Dokan Pro plugins exposed.

The changelog, which informs users about updates, does not indicate that the patch for this critical vulnerability was included in version 3.10.4, released on April 25, 2024. This omission might have been intentional to avoid alerting hackers to the severity of the issue.

The Common Vulnerability Scoring System (CVSS) assigns a severity score based on exploitability and impact. The Dokan Pro plugin received a CVSS score of 10, the highest level of severity, prompting immediate action from users.

The Dokan Pro vulnerability is an Unauthenticated SQL Injection, meaning attackers do not need user credentials to exploit it. This type of vulnerability allows for manipulation of the database, the heart of every WordPress website. According to Wordfence, this flaw makes it possible for attackers to append additional SQL queries, extracting sensitive information.

Users of the Dokan Pro plugin are strongly advised to update their sites as soon as possible. While testing updates before deploying them live is always prudent, the severity of this vulnerability necessitates expedited updates.

via GIPHY

WooCommerce has also reported a Cross-Site Scripting (XSS) vulnerability affecting versions 8.8.0 and higher, particularly for users with the Order Attribute feature enabled. Rated 5.4, this medium-level threat requires immediate updating to the latest version, WooCommerce 8.9.3. This XSS vulnerability could allow attackers to manipulate links to include malicious content, potentially impacting anyone who clicks on the link.

Adam J. Humphreys, a web developer and search marketing expert from Making 8, Inc., suggests that web hosts should take a more proactive approach in patching critical vulnerabilities, even if it risks site functionality due to conflicts with other plugins or themes. He emphasizes the need for more frequent updates and management to ensure security. Adam explains that many hosts delay updates until a WordPress core update, leaving sites vulnerable. He advocates for ongoing management to mitigate the risks associated with using WordPress, which powers half of all websites.

These findings underscore the critical importance of staying vigilant and proactive in updating and securing WordPress plugins to protect against potential exploits.

Protect Your Store From Vulnerabilities With SafeUpdates

SafeUpdates automatically handles core updates, plugins, and themes, shielding you from vulnerabilities like those in WooCommerce and Dokan Pro.

Share your opinion in the comment section. COMMENT NOW

Share This Article

Abdul Rehman

Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.

×

Thankyou for Subscribing Us!

×

Webinar: How to Get 100% Scores on Core Web Vitals

Join Joe Williams & Aleksandar Savkovic on 29th of March, 2021.

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!

Want to Experience the Cloudways Platform in Its Full Glory?

Take a FREE guided tour of Cloudways and see for yourself how easily you can manage your server & apps on the leading cloud-hosting platform.

Start my tour

CYBER WEEK SAVINGS

  • 0

    Days

  • 0

    Hours

  • 0

    Mints

  • 0

    Sec

GET OFFER

For 4 Months &
40 Free Migrations

For 4 Months &
40 Free Migrations

Upgrade Now