CVE-2020-36748 : Security Advisory and Response

CVE-2020-36748, assigned by Wordfence, pertains to a Cross-Site Request Forgery vulnerability in the Dokan plugin for WordPress.

Understanding CVE-2020-36748

This CVE involves a security issue in the Dokan plugin for WordPress that allows unauthenticated attackers to trigger an order export through a forged request.

What is CVE-2020-36748?

The Dokan plugin for WordPress is susceptible to Cross-Site Request Forgery up to version 3.0.8 due to missing or incorrect nonce validation on the handle_order_export() function.

The Impact of CVE-2020-36748

This vulnerability enables unauthenticated attackers to manipulate site administrators into executing actions, such as initiating an order export, by deceiving them into clicking on a link.

Technical Details of CVE-2020-36748

Vulnerability Description

The vulnerability in Dokan plugin for WordPress allows unauthenticated attackers to exploit Cross-Site Request Forgery up to version 3.0.8.

Affected Systems and Versions

Vendor: wedevs
Product: Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy
Versions Affected: Up to and including 3.0.8

Exploitation Mechanism

Attackers can trigger an order export through a forged request by leveraging the missing or incorrect nonce validation on the handle_order_export() function.

Mitigation and Prevention

Immediate Steps to Take

Update the Dokan plugin to version 3.0.9 or higher to mitigate the vulnerability.
Be cautious of clicking on links from untrusted sources to prevent CSRF attacks.

Long-Term Security Practices

Regularly monitor and apply security patches to all WordPress plugins and themes.
Educate site administrators on the risks of CSRF attacks and how to identify suspicious activities.

Patching and Updates

Ensure timely installation of security updates and patches for the Dokan plugin to address known vulnerabilities.