Skip to main content

weDocs Plugin EUVDEUVD-2026-41468

| CVE-2026-12729 MEDIUM
Missing Authorization (CWE-862)
2026-07-03 Wordfence GHSA-8rwq-pvxh-vj87
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.4 MEDIUM

Network-accessible AJAX with subscriber auth (AV:N/PR:L); A:L added over provided score because deactivating installed plugins is a concrete availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 03, 2026 - 01:57 vuln.today
CVE Published
Jul 03, 2026 - 01:28 cve.org
MEDIUM 4.3

DescriptionCVE.org

The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 2.3.0. This is due to a missing capability check on the do_migration() function registered as the wedocs_migrate_betterdocs_to_wedocs AJAX action, which performs no nonce verification via check_ajax_referer() and no capability check via current_user_can() before executing sensitive operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full BetterDocs-to-weDocs data migration, creating and modifying 'docs' custom post type entries with attacker-controlled titles, updating site options, and deactivating the BetterDocs and BetterDocs Pro plugins via deactivate_plugins().

AnalysisAI

Missing authorization on the BetterDocs-to-weDocs migration AJAX endpoint in the weDocs WordPress plugin (versions up to and including 2.3.0) allows any authenticated subscriber-level user to trigger a full data migration, manipulate documentation content, alter site options, and forcibly deactivate installed BetterDocs and BetterDocs Pro plugins. The vulnerable do_migration() function registered under the wedocs_migrate_betterdocs_to_wedocs AJAX action performs neither a nonce check via check_ajax_referer() nor a privilege check via current_user_can(), exposing sensitive administrative operations to the lowest authenticated user tier. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or compromise subscriber account
Delivery
Craft POST to wp-admin/admin-ajax.php with migration action
Exploit
Bypass missing authorization in do_migration()
Execution
Inject attacker-controlled doc titles and site options
Impact
Deactivate BetterDocs/BetterDocs Pro plugins

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold at minimum a Subscriber-level WordPress account on the target site - the lowest authenticated user role. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) correctly identifies network accessibility and low authentication requirements but arguably underweights the availability dimension: the ability to invoke `deactivate_plugins()` against installed plugins is an availability impact, not captured in the A:N metric. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a target WordPress site running weDocs ≤2.3.0, then sends a crafted POST request to `wp-admin/admin-ajax.php` with `action=wedocs_migrate_betterdocs_to_wedocs` and attacker-controlled migration parameters. The unguarded `do_migration()` function executes, deactivating the BetterDocs and BetterDocs Pro plugins (disabling the competitor documentation system), creating or overwriting 'docs' custom post type entries with attacker-supplied titles, and modifying WordPress site options - all without any administrator interaction.
Remediation Update the weDocs plugin to the version that includes SVN changeset 3589430 or later, which addresses the missing authorization on the migration AJAX action. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41468 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy