Skip to main content

Wedocs CVE-2026-39520

| EUVDEUVD-2026-20181 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:40 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20181
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in weDevs weDocs wedocs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects weDocs: from n/a through <= 2.1.18.

AnalysisAI

Missing authorization in weDevs weDocs WordPress plugin through version 2.1.18 allows unauthenticated remote attackers to modify content by exploiting incorrectly configured access control security levels. The vulnerability enables unauthorized modification of protected documents via a network request without authentication, though with limited information disclosure impact. EPSS score of 0.02% indicates minimal real-world exploitation probability despite the moderate CVSS rating.

Technical ContextAI

The vulnerability stems from CWE-862 (Missing Authorization), a common web application flaw where access control checks are not properly enforced on sensitive operations. The weDevs weDocs plugin is a WordPress document management system that manages access to documentation and knowledge base content. The underlying issue involves the plugin's failure to validate user permissions before allowing modifications to documents or configuration settings that should be restricted to authorized administrators. This affects the core WordPress ecosystem where plugins extend site functionality, and improper access control can allow attackers to bypass role-based permission models that WordPress provides through its user capability system.

RemediationAI

Upgrade weDevs weDocs plugin to a version newer than 2.1.18 immediately. WordPress administrators should access the plugin management dashboard, locate weDocs, and apply the latest available update from the WordPress plugin repository. If an updated version beyond 2.1.18 is not yet available, temporarily deactivate the plugin until a patched release is published. Verify the update through the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wedocs/vulnerability/wordpress-wedocs-plugin-2-1-18-broken-access-control-vulnerability to confirm the fixed version number.

Share

CVE-2026-39520 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy