{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24359", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:24.567Z", "datePublished": "2026-03-25T16:14:31.035Z", "dateUpdated": "2026-03-26T20:01:35.761Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "dokan-lite", "product": "Dokan", "vendor": "Dokan, Inc.", "versions": [{"changes": [{"at": "4.2.5", "status": "unaffected"}], "lessThanOrEqual": "<= 4.2.4", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:12.313Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.<p>This issue affects Dokan: from n/a through <= 4.2.4.</p>"}], "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.This issue affects Dokan: from n/a through <= 4.2.4."}], "impacts": [{"capecId": "CAPEC-114", "descriptions": [{"lang": "en", "value": "Authentication Abuse"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "description": "Authentication Bypass Using an Alternate Path or Channel", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:31.035Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/dokan-lite/vulnerability/wordpress-dokan-plugin-4-2-4-broken-authentication-vulnerability?_s_id=cve"}], "title": "WordPress Dokan plugin <= 4.2.4 - Broken Authentication vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T19:55:57.821836Z", "id": "CVE-2026-24359", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T20:01:35.761Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24359", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T19:55:57.821836Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:55:37.768Z"}}], "cna": {"title": "WordPress Dokan plugin <= 4.2.4 - Broken Authentication vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-114", "descriptions": [{"lang": "en", "value": "Authentication Abuse"}]}], "affected": [{"vendor": "Dokan, Inc.", "product": "Dokan", "versions": [{"status": "affected", "changes": [{"at": "4.2.5", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 4.2.4"}], "packageName": "dokan-lite", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:12.313Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/dokan-lite/vulnerability/wordpress-dokan-plugin-4-2-4-broken-authentication-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.This issue affects Dokan: from n/a through <= 4.2.4.", "supportingMedia": [{"type": "text/html", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.<p>This issue affects Dokan: from n/a through <= 4.2.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:31.035Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24359", "state": "PUBLISHED", "dateUpdated": "2026-03-26T20:01:35.761Z", "dateReserved": "2026-01-22T14:42:24.567Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:31.035Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.This issue affects Dokan: from n/a through <= 4.2.4."}, {"lang": "es", "value": "Vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n usando una ruta o canal alternativo en Dokan, Inc. Dokan dokan-lite permite el abuso de autenticaci\u00f3n. Este problema afecta a Dokan: desde n/a hasta &lt;= 4.2.4."}], "id": "CVE-2026-24359", "lastModified": "2026-03-26T21:17:03.467", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:36.840", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/dokan-lite/vulnerability/wordpress-dokan-plugin-4-2-4-broken-authentication-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.4]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "4.2.5"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Dokan", "source": "cna", "vendor": "Dokan, Inc."}, "product": "dokan", "vendor": "dokan"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T17:45:29.069918+00:00", "value": {"mitigation_remediation": ["Update the Dokan Lite plugin to any version newer than 4.2.4", "If an immediate update is not possible, temporarily deactivate the Dokan plugin until a patched version is available", "After applying the patch, verify that user sessions cannot be hijacked and monitor access logs for suspicious activity"], "summary": {"action": "Patch Immediately", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "Dokany plugin for WordPress, specifically versions up to and including 4.2.4. All WordPress installations that utilize Dokan Lite without upgrading to a later release are vulnerable. The issue applies to all users and administrators interacting with the plugin through the web interface.", "description_and_impact": "The vulnerability allows an authentication bypass by exploiting an alternate path or channel in the Dokan Lite WordPress plugin. The flaw can let a remote attacker gain unauthorized access to the system, potentially impersonating any user or administrator. This constitutes a significant loss of confidentiality and integrity of the application data. The weakness is categorized under CWE\u2011288, indicating an authorization bypass with elevated privileges.", "risk_and_exploitability": "Because no CVSS score is publicly listed, the exact severity remains unspecified, but the risk of exploitation is high due to the simplicity of the bypass. The EPSS score is not available and the vulnerability is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector involves a remote attacker sending a specially crafted HTTP request to an alternate API path or channel. Accessing the site while authenticated in a normal session could allow the attacker to hijack the session or assume higher privileges."}}}}, "created": "2026-03-25T21:34:53.682088+00:00", "updated": "2026-03-26T11:40:07.559111+00:00", "vendors": ["dokan", "dokan$PRODUCT$dokan", "wordpress", "wordpress$PRODUCT$wordpress"]}