{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24359", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:24.567Z", "datePublished": "2026-03-25T16:14:31.035Z", "dateUpdated": "2026-04-28T16:14:47.818Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "dokan-lite", "product": "Dokan", "vendor": "Dokan, Inc.", "versions": [{"changes": [{"at": "4.2.5", "status": "unaffected"}], "lessThanOrEqual": "4.2.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:32.175Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.<p>This issue affects Dokan: from n/a through <= 4.2.4.</p>"}], "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.This issue affects Dokan: from n/a through <= 4.2.4."}], "impacts": [{"capecId": "CAPEC-114", "descriptions": [{"lang": "en", "value": "Authentication Abuse"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "description": "Authentication Bypass Using an Alternate Path or Channel", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:47.818Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/dokan-lite/vulnerability/wordpress-dokan-plugin-4-2-4-broken-authentication-vulnerability?_s_id=cve"}], "title": "WordPress Dokan plugin <= 4.2.4 - Broken Authentication vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T19:55:57.821836Z", "id": "CVE-2026-24359", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:48:54.824Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24359", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T19:55:57.821836Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:55:37.768Z"}}], "cna": {"title": "WordPress Dokan plugin <= 4.2.4 - Broken Authentication vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-114", "descriptions": [{"lang": "en", "value": "Authentication Abuse"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dokan, Inc.", "product": "Dokan", "versions": [{"status": "affected", "changes": [{"at": "4.2.5", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "4.2.4"}], "packageName": "dokan-lite", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:32.175Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/dokan-lite/vulnerability/wordpress-dokan-plugin-4-2-4-broken-authentication-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.This issue affects Dokan: from n/a through <= 4.2.4.", "supportingMedia": [{"type": "text/html", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.<p>This issue affects Dokan: from n/a through <= 4.2.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:04.147Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24359", "state": "PUBLISHED", "dateUpdated": "2026-04-28T01:48:54.824Z", "dateReserved": "2026-01-22T14:42:24.567Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:31.035Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.This issue affects Dokan: from n/a through <= 4.2.4."}, {"lang": "es", "value": "Vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n usando una ruta o canal alternativo en Dokan, Inc. Dokan dokan-lite permite el abuso de autenticaci\u00f3n. Este problema afecta a Dokan: desde n/a hasta &lt;= 4.2.4."}], "id": "CVE-2026-24359", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:36.840", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/dokan-lite/vulnerability/wordpress-dokan-plugin-4-2-4-broken-authentication-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.4]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "4.2.5"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Dokan", "source": "cna", "vendor": "Dokan, Inc."}, "product": "dokan", "vendor": "dokan"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T23:06:51.435540+00:00", "value": {"mitigation_remediation": ["Upgrade Dokan Lite to version 4.2.5 or later to eliminate the authentication flaw", "If an update is not yet available, disable or uninstall the Dokan Lite plugin until a patch is released", "Verify that no unauthorized WordPress user accounts exist and remove any that were added without proper authorization", "Apply general WordPress hardening: keep core, themes, and plugins updated; enforce strong passwords; limit login attempts; consider a web application firewall to guard against abnormal authentication attempts"], "summary": {"action": "Patch Now", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "All releases of the Dokan Lite WordPress plugin up to version 4.2.4 are affected. Any WordPress installation that includes Dokan Lite with a version less than or equal to 4.2.4 is vulnerable. The product in question is Dokan Lite from Dokan, Inc.", "description_and_impact": "An authentication bypass flaw exists in Dokan Lite versions through 4.2.4, classified as CWE\u2011288. The plugin allows an attacker to obtain access by using an alternate path or channel, bypassing normal authentication controls. This enables a user without valid credentials to perform actions that normally require a logged\u2011in session, potentially exposing sensitive data, enabling unauthorized administrative actions, and allowing the modification or disruption of site content.", "risk_and_exploitability": "The CVSS base score of 8.8 indicates high severity, while an EPSS probability of less than 1% suggests that exploitation is currently unlikely. The flaw is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely remote via the website\u2019s request path; no local or privileged conditions are specified, so it is inferred that exploitation can occur from a remote location without requiring local access. An attacker could trigger the bypass by sending a crafted request to an alternate endpoint that the plugin does not properly protect, gaining authenticated privileges."}}}}, "created": "2026-03-25T21:34:53.682088+00:00", "updated": "2026-03-27T09:46:31.652424+00:00", "vendors": ["dokan", "dokan$PRODUCT$dokan", "wordpress", "wordpress$PRODUCT$wordpress"]}