CVE-2025-14977
Published: 20 January 2026
Summary
CVE-2025-14977 is a high-severity Improper Access Control (CWE-284) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-14977 is an Insecure Direct Object Reference vulnerability in the Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress, affecting versions up to and including 4.2.4. The flaw exists in the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key, enabling unauthorized access to other users' store settings. It carries a CVSS score of 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-284.
Authenticated attackers with customer-level permissions or higher can exploit this vulnerability over the network with low complexity. They can read or modify other vendors' store settings, exposing or altering sensitive payment information such as PayPal email addresses, bank account details, routing numbers, IBAN, and SWIFT codes, as well as phone numbers and addresses. Attackers can specifically change PayPal email addresses to attacker-controlled ones, facilitating financial theft during marketplace payout processing.
References in the WordPress plugins trac repository highlight the vulnerable code in `StoreSettingController.php` at lines 85, 109, 131, and 152, along with changeset 3432750 comparing changes from revision 3427612 in the dokan-lite trunk. These indicate locations for validation fixes in patched versions of the plugin.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3482
Vulnerability details
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to…
more
missing validation on a user-controlled key. This makes it possible for authenticated attackers, with customer-level permissions and above, to read or modify other vendors' store settings including sensitive payment information (PayPal email, bank account details, routing numbers, IBAN, SWIFT codes), phone numbers, and addresses, and change PayPal email addresses to attacker-controlled addresses, enabling financial theft when the marketplace processes payouts.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in public-facing WordPress REST endpoint directly enables exploitation of the application (T1190) and unauthorized access to payment credentials (T1552.001), facilitating financial theft via payout manipulation (T1657).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations on the `/wp-json/dokan/v1/settings` API endpoint to prevent authenticated customer-level users from accessing or modifying other vendors' store settings.
Validates the user-controlled key in API requests to ensure it references only the authorized user's own store settings, directly mitigating the missing validation causing IDOR.
Applies least privilege to restrict customer-level permissions, reducing the impact of unauthorized access to vendor payment and contact information.