October 27, 2014 at 9:31 pm 29176
|Yann||Any site visitor can deactivate products from any seller / shop. You do not even need to be registered on the site to do this, so a quick robot can bring down any Dokan shop in a matter of a few minutes. They can also change all the product title, features, description etc. A trusted seller (that has the dokan_publisher status) can easily modify any other sellers' products description, etc. I believe this makes the Dokan plugin completely unfit for production release. This is a major security issue that should be corrected ASAP.|
October 27, 2014 at 9:43 pm 29179
This is interesting given that you guys just released an article promoting dokan, discussing security issues in wp. Please can we have a quick response as my site ready for launch.
October 27, 2014 at 10:03 pm 29182
This vulnerability puts all site content at risk, not only products, but any WordPress content (articles, pages,…).
I cannot give more details here for obvious security reasons, because this would put all sites using the Dokan plugin in jeopardy right away.
Dokan developers: please contact me ASAP for details (use my e-mail address).
Only the Dokan plugin has this vulnerability, the legacy Dokan theme does not seem to have this problem.
October 27, 2014 at 10:06 pm 29183
Yes, this is quite ironic. WordPress & Woocommerce are quite safe for e-commerce, but the Dokan plugin makes WordPress and WC completely unsafe because of really poor programming. They should have taken time to review their PHP code instead of writing such a piece of propaganda.
(I’m not one of “those guys”, I was just investigating / correcting / debugging this product for one of my clients and now we just came to the conclusion that we are facing potential disaster if we carry on with this plugin.)
October 27, 2014 at 10:09 pm 29184
If you’re using the Dokan plugin, your site is unfit for launch. Any product on a live Dokan site can be brought down, you just need the products’ public URL for that.
October 27, 2014 at 11:49 pm 29191
update: you do not even need the product URL. You can just wipe out all products one by one.
October 28, 2014 at 1:23 am 29203
Update 2: you can also wipe out all pages and articles of the site, and retitle all media. You do not need to be connected to the site. This can be performed automatically from anywhere in the world. You just need to know the address of the site, and that the Dokan plugin is installed. I advise all users to deactivate the Dokan plugin at once until it is fixed!
October 28, 2014 at 5:17 am 29212
I replied your email and looking forward to hear from you soon with details.
October 28, 2014 at 2:14 pm 29237
@Mahi I just answered your email with details and a proposed security fix for this issue. Please update the plugin and advise all your users to upgrade.
October 28, 2014 at 2:42 pm 29240
Thank you Yann. Checking with dev team. will communicate with you via email.
January 11, 2015 at 2:44 am 33778
Was this fixed? We’re getting ready to launch our site soon.
January 11, 2015 at 10:12 am 33788
Yeah, no kidding. We need to know this!
I would really like to know the full details of this security issue. Can a developer contact me please with a description of how to reproduce this security breach so I can test and look for my own fixes.
I’m going to start digging in and looking for this vulnerability.
January 11, 2015 at 11:07 am 33797
Hello Roger and Robert,
We have fixed that issue right away. You can see our change log here: http://docs.wedevs.com/dokan-plugin-changelog/#v1-2-november-2-2014
January 11, 2015 at 11:36 am 33805
Ah, ok. Thanks guys. Post just scared me a bit 🙂
January 12, 2015 at 3:55 pm 33943
I do confirm the major security issues have been fixed in the latest version of the Dokan plugin.