Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Stored XSS requires a victim to visit the page (UI:R); contributor authentication required (PR:L); scope changes to victim browser (S:C).
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'sectionTitleTag' and 'articleTitleTag' Block Attributes in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the weDocs WordPress plugin (versions through 2.3.0) allows authenticated contributors to persist malicious JavaScript in documentation pages by injecting arbitrary values into the 'sectionTitleTag' and 'articleTitleTag' Gutenberg block attributes, which are rendered without sanitization or output escaping in Sidebar block render.php. Any WordPress user who subsequently visits an injected documentation page will execute the attacker's script in their browser context, enabling session hijacking, credential harvesting, or defacement. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress account with contributor-level privileges or higher (PR:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects the cross-site scope change inherent to stored XSS but warrants scrutiny: the UI:N metric is debatable for stored XSS, since a victim must passively visit the injected page for the payload to fire - a more precise rating would use UI:R, yielding approximately 5.4. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated WordPress user with contributor-level access creates or edits a weDocs documentation page and sets the 'sectionTitleTag' block attribute to a value containing a malicious script tag (e.g., injecting an XSS payload via the block editor's attribute input). The payload is stored in the post database without sanitization. … |
| Remediation | An upstream fix is available via WordPress plugin repository changeset 3589430 (https://plugins.trac.wordpress.org/changeset?old=3589430%40wedocs&new=3589430%40wedocs), which addresses the missing sanitization and output escaping in render.php. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Stored Cross-Site Scripting in the weDocs WordPress plugin (all versions through 2.3.0) allows authenticated contributor
Missing authorization in weDevs weDocs WordPress plugin through version 2.1.18 allows unauthenticated remote attackers t
Missing authorization on the BetterDocs-to-weDocs migration AJAX endpoint in the weDocs WordPress plugin (versions up to
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41470
GHSA-pr6j-r5mf-cj49