Cyber Resilience

CVE-2025-14977

High

Published: 20 January 2026

Published
20 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0027 17.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-14977 is a high-severity Improper Access Control (CWE-284) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-14977 is an Insecure Direct Object Reference vulnerability in the Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress, affecting versions up to and including 4.2.4. The flaw exists in the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key, enabling unauthorized access to other users' store settings. It carries a CVSS score of 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-284.

Authenticated attackers with customer-level permissions or higher can exploit this vulnerability over the network with low complexity. They can read or modify other vendors' store settings, exposing or altering sensitive payment information such as PayPal email addresses, bank account details, routing numbers, IBAN, and SWIFT codes, as well as phone numbers and addresses. Attackers can specifically change PayPal email addresses to attacker-controlled ones, facilitating financial theft during marketplace payout processing.

References in the WordPress plugins trac repository highlight the vulnerable code in `StoreSettingController.php` at lines 85, 109, 131, and 152, along with changeset 3432750 comparing changes from revision 3427612 in the dokan-lite trunk. These indicate locations for validation fixes in patched versions of the plugin.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to…

more

missing validation on a user-controlled key. This makes it possible for authenticated attackers, with customer-level permissions and above, to read or modify other vendors' store settings including sensitive payment information (PayPal email, bank account details, routing numbers, IBAN, SWIFT codes), phone numbers, and addresses, and change PayPal email addresses to attacker-controlled addresses, enabling financial theft when the marketplace processes payouts.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1657 Financial Theft Impact
Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims.
Why these techniques?

IDOR in public-facing WordPress REST endpoint directly enables exploitation of the application (T1190) and unauthorized access to payment credentials (T1552.001), facilitating financial theft via payout manipulation (T1657).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32138Shared CWE-284
CVE-2026-30140Shared CWE-284
CVE-2026-7813Shared CWE-284
CVE-2026-7198Shared CWE-284
CVE-2026-46818Shared CWE-284
CVE-2025-70363Shared CWE-284
CVE-2026-34310Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2026-34287Shared CWE-284
CVE-2026-44277Shared CWE-284

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations on the `/wp-json/dokan/v1/settings` API endpoint to prevent authenticated customer-level users from accessing or modifying other vendors' store settings.

prevent

Validates the user-controlled key in API requests to ensure it references only the authorized user's own store settings, directly mitigating the missing validation causing IDOR.

prevent

Applies least privilege to restrict customer-level permissions, reducing the impact of unauthorized access to vendor payment and contact information.

References