WordPress marketplace check

CVE-2026-12077: Dokan Pro SQL injection self-check

CVE-2026-12077 affects Dokan Pro for WordPress through 5.0.4. The issue matters most on WooCommerce marketplace sites where public store, vendor, or location filtering is enabled.

Who is affected

  • WordPress sites running Dokan Pro 5.0.4 or older.
  • WooCommerce marketplaces with public vendor/store discovery pages.
  • Agencies that manage Dokan Pro sites and have not checked the plugin version after June 25, 2026.

Safe self-check

  1. Confirm the installed Dokan Pro version from WordPress admin or the plugin file metadata.
  2. Patch Dokan Pro before reopening public marketplace filters to untrusted traffic.
  3. Review web access logs for unusual repeated requests against vendor, store, map, or location-filtered pages.
  4. Review database error logs, slow queries, and export activity around the disclosure window.
  5. Check recent administrator users, vendor accounts, WooCommerce settings, and payment gateway configuration.

Clean result

A clean result means Dokan Pro is patched, marketplace pages were not exposed while vulnerable, logs do not show unusual repeated filtering requests, and no unexpected user or WooCommerce configuration changes appeared.

When to request repair

Request Ping7 repair if the marketplace stored customer, vendor, or payment-adjacent data while the vulnerable version was public, or if logs show suspicious access during the exposure window.

Request WordPress CVE repair

References