{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24359", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:24.567Z", "datePublished": "2026-03-25T16:14:31.035Z", "dateUpdated": "2026-03-25T16:14:31.035Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "dokan-lite", "product": "Dokan", "vendor": "Dokan, Inc.", "versions": [{"changes": [{"at": "4.2.5", "status": "unaffected"}], "lessThanOrEqual": "<= 4.2.4", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:12.313Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.<p>This issue affects Dokan: from n/a through <= 4.2.4.</p>"}], "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.This issue affects Dokan: from n/a through <= 4.2.4."}], "impacts": [{"capecId": "CAPEC-114", "descriptions": [{"lang": "en", "value": "Authentication Abuse"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "description": "Authentication Bypass Using an Alternate Path or Channel", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:31.035Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/dokan-lite/vulnerability/wordpress-dokan-plugin-4-2-4-broken-authentication-vulnerability?_s_id=cve"}], "title": "WordPress Dokan plugin <= 4.2.4 - Broken Authentication vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.This issue affects Dokan: from n/a through <= 4.2.4."}], "id": "CVE-2026-24359", "lastModified": "2026-03-25T17:16:36.840", "metrics": {}, "published": "2026-03-25T17:16:36.840", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/dokan-lite/vulnerability/wordpress-dokan-plugin-4-2-4-broken-authentication-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T17:45:29.069918+00:00", "value": {"mitigation_remediation": ["Update the Dokan Lite plugin to any version newer than 4.2.4", "If an immediate update is not possible, temporarily deactivate the Dokan plugin until a patched version is available", "After applying the patch, verify that user sessions cannot be hijacked and monitor access logs for suspicious activity"], "summary": {"action": "Patch Immediately", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "Dokany plugin for WordPress, specifically versions up to and including 4.2.4. All WordPress installations that utilize Dokan Lite without upgrading to a later release are vulnerable. The issue applies to all users and administrators interacting with the plugin through the web interface.", "description_and_impact": "The vulnerability allows an authentication bypass by exploiting an alternate path or channel in the Dokan Lite WordPress plugin. The flaw can let a remote attacker gain unauthorized access to the system, potentially impersonating any user or administrator. This constitutes a significant loss of confidentiality and integrity of the application data. The weakness is categorized under CWE\u2011288, indicating an authorization bypass with elevated privileges.", "risk_and_exploitability": "Because no CVSS score is publicly listed, the exact severity remains unspecified, but the risk of exploitation is high due to the simplicity of the bypass. The EPSS score is not available and the vulnerability is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector involves a remote attacker sending a specially crafted HTTP request to an alternate API path or channel. Accessing the site while authenticated in a normal session could allow the attacker to hijack the session or assume higher privileges."}}}}, "created": "2026-03-25T21:34:53.682088+00:00", "updated": "2026-03-25T21:34:53.682126+00:00", "vendors": []}