WooCommerce issued an advisory on an XSS vulnerability, while Wordfence reported a critical issue in the Dokan Pro plugin. The Dokan Pro advisory highlighted a SQL Injection vulnerability enabling unauthenticated attackers to access sensitive website database information.
The Dokan Pro WordPress plugin converts WooCommerce sites into multi-vendor marketplaces like Amazon and Etsy, boasting over 50,000 installations. Versions up to and including 3.10.3 are vulnerable, as reported by WordFence. Version 3.11.0 is confirmed as the fully patched version.
On WordPress.org, the lite version has over 50,000 current installations and over 3 million all-time installations. Currently, only 30.6% of installations are using the latest version, 3.11. Note that this vulnerability specifically affects Dokan Pro; statistics for the Lite version do not necessarily reflect the distribution for Dokan Pro.
Changelog Doesn’t Show Vulnerability Patch
The changelog is what tells users of a plugin what’s contained in an update. Most plugin and theme makers will publish a clear notice that an update contains a vulnerability patch. According to Wordfence, the vulnerability affects versions up to and including version 3.10.3. But the changelog notation for version 3.10.4 that was released Apr 25, 2024 (which is supposed to be patched) does not show that there’s a patch. It’s possible that the publisher of Dokan Pro didn’t want to alert hackers to the critical vulnerability.