Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in weDevs weDocs wedocs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects weDocs: from n/a through <= 2.1.18.
AnalysisAI
Missing authorization in weDevs weDocs WordPress plugin through version 2.1.18 allows unauthenticated remote attackers to modify content by exploiting incorrectly configured access control security levels. The vulnerability enables unauthorized modification of protected documents via a network request without authentication, though with limited information disclosure impact. EPSS score of 0.02% indicates minimal real-world exploitation probability despite the moderate CVSS rating.
Technical ContextAI
The vulnerability stems from CWE-862 (Missing Authorization), a common web application flaw where access control checks are not properly enforced on sensitive operations. The weDevs weDocs plugin is a WordPress document management system that manages access to documentation and knowledge base content. The underlying issue involves the plugin's failure to validate user permissions before allowing modifications to documents or configuration settings that should be restricted to authorized administrators. This affects the core WordPress ecosystem where plugins extend site functionality, and improper access control can allow attackers to bypass role-based permission models that WordPress provides through its user capability system.
RemediationAI
Upgrade weDevs weDocs plugin to a version newer than 2.1.18 immediately. WordPress administrators should access the plugin management dashboard, locate weDocs, and apply the latest available update from the WordPress plugin repository. If an updated version beyond 2.1.18 is not yet available, temporarily deactivate the plugin until a patched release is published. Verify the update through the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wedocs/vulnerability/wordpress-wedocs-plugin-2-1-18-broken-access-control-vulnerability to confirm the fixed version number.
Stored Cross-Site Scripting in the weDocs WordPress plugin (versions through 2.3.0) allows authenticated contributors to
Stored Cross-Site Scripting in the weDocs WordPress plugin (all versions through 2.3.0) allows authenticated contributor
Missing authorization on the BetterDocs-to-weDocs migration AJAX endpoint in the weDocs WordPress plugin (versions up to
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20181