Home Forums Theme Support Dokan WARNING! Dokan major security issue

This topic is: resolved

Tagged: , ,

This topic contains 14 replies, has 7 voices, and was last updated by  Yann 4 years, 4 months ago.

Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • #29176

    Yann
    Member
    Post count: 33

    Any site visitor can deactivate products from any seller / shop. You do not even need to be registered on the site to do this, so a quick robot can bring down any Dokan shop in a matter of a few minutes.

    They can also change all the product title, features, description etc.

    A trusted seller (that has the dokan_publisher status) can easily modify any other sellers' products description, etc.

    I believe this makes the Dokan plugin completely unfit for production release.

    This is a major security issue that should be corrected ASAP.

    #29179

    Nurul
    Member
    Post count: 105

    This is interesting given that you guys just released an article promoting dokan, discussing security issues in wp. Please can we have a quick response as my site ready for launch.

    #29182

    Yann
    Member
    Post count: 33

    This vulnerability puts all site content at risk, not only products, but any WordPress content (articles, pages,…).

    I cannot give more details here for obvious security reasons, because this would put all sites using the Dokan plugin in jeopardy right away.

    Dokan developers: please contact me ASAP for details (use my e-mail address).

    Only the Dokan plugin has this vulnerability, the legacy Dokan theme does not seem to have this problem.

    #29183

    Yann
    Member
    Post count: 33

    Yes, this is quite ironic. WordPress & Woocommerce are quite safe for e-commerce, but the Dokan plugin makes WordPress and WC completely unsafe because of really poor programming. They should have taken time to review their PHP code instead of writing such a piece of propaganda.

    (I'm not one of “those guys”, I was just investigating / correcting / debugging this product for one of my clients and now we just came to the conclusion that we are facing potential disaster if we carry on with this plugin.)

    #29184

    Yann
    Member
    Post count: 33

    If you're using the Dokan plugin, your site is unfit for launch. Any product on a live Dokan site can be brought down, you just need the products' public URL for that.

    #29191

    Yann
    Member
    Post count: 33

    update: you do not even need the product URL. You can just wipe out all products one by one.

    #29203

    Yann
    Member
    Post count: 33

    Update 2: you can also wipe out all pages and articles of the site, and retitle all media. You do not need to be connected to the site. This can be performed automatically from anywhere in the world. You just need to know the address of the site, and that the Dokan plugin is installed. I advise all users to deactivate the Dokan plugin at once until it is fixed!

    #29212

    Mahi
    Member
    Post count: 135

    Hello Yann,

    I replied your email and looking forward to hear from you soon with details.

    #29237

    Yann
    Member
    Post count: 33

    @mahi I just answered your email with details and a proposed security fix for this issue. Please update the plugin and advise all your users to upgrade.

    #29240

    Mahi
    Member
    Post count: 1555

    Thank you Yann. Checking with dev team. will communicate with you via email.

    #33778

    Roger
    Member
    Post count: 2

    Was this fixed? We're getting ready to launch our site soon.

    #33788

    RevolvedMedia
    Member
    Post count: 43

    Yeah, no kidding. We need to know this!

    I would really like to know the full details of this security issue. Can a developer contact me please with a description of how to reproduce this security breach so I can test and look for my own fixes.

    I'm going to start digging in and looking for this vulnerability.

    #33797

    Sekander Badsha
    Member
    Post count: 2067

    Hello Roger and Robert,

    We have fixed that issue right away. You can see our change log here: http://docs.wedevs.com/dokan-plugin-changelog/#v1-2-november-2-2014

    #33805

    RevolvedMedia
    Member
    Post count: 43

    Ah, ok. Thanks guys. Post just scared me a bit ๐Ÿ™‚

    #33943

    Yann
    Member
    Post count: 33

    I do confirm the major security issues have been fixed in the latest version of the Dokan plugin.

Viewing 15 posts - 1 through 15 (of 15 total)

The topic ‘WARNING! Dokan major security issue’ is closed to new replies.