Skip to main content

Wedocs

4 CVEs product

Monthly

CVE-2026-12731 MEDIUM This Month

Stored Cross-Site Scripting in the weDocs WordPress plugin (versions through 2.3.0) allows authenticated contributors to persist malicious JavaScript in documentation pages by injecting arbitrary values into the 'sectionTitleTag' and 'articleTitleTag' Gutenberg block attributes, which are rendered without sanitization or output escaping in Sidebar block render.php. Any WordPress user who subsequently visits an injected documentation page will execute the attacker's script in their browser context, enabling session hijacking, credential harvesting, or defacement. No public exploit code or CISA KEV listing has been identified, but the low privilege bar (contributor) makes this accessible to a broad class of authenticated WordPress users.

WordPress XSS Wedocs
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12729 MEDIUM This Month

Missing authorization on the BetterDocs-to-weDocs migration AJAX endpoint in the weDocs WordPress plugin (versions up to and including 2.3.0) allows any authenticated subscriber-level user to trigger a full data migration, manipulate documentation content, alter site options, and forcibly deactivate installed BetterDocs and BetterDocs Pro plugins. The vulnerable `do_migration()` function registered under the `wedocs_migrate_betterdocs_to_wedocs` AJAX action performs neither a nonce check via `check_ajax_referer()` nor a privilege check via `current_user_can()`, exposing sensitive administrative operations to the lowest authenticated user tier. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Authentication Bypass WordPress Wedocs
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-12734 MEDIUM This Month

Stored Cross-Site Scripting in the weDocs WordPress plugin (all versions through 2.3.0) allows authenticated contributors to inject persistent malicious scripts via the unsanitized 'connectorWidth' block attribute in the Sidebar block renderer (render.php lines 138 and 161). Any site visitor loading an affected documentation page triggers the payload in their browser, enabling session hijacking, credential harvesting, or malicious redirects. No active exploitation is confirmed in CISA KEV and no public exploit has been identified at time of analysis, though the attack technique is low-complexity for anyone with block editor knowledge.

WordPress XSS Wedocs
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-39520 MEDIUM This Month

Missing authorization in weDevs weDocs WordPress plugin through version 2.1.18 allows unauthenticated remote attackers to modify content by exploiting incorrectly configured access control security levels. The vulnerability enables unauthorized modification of protected documents via a network request without authentication, though with limited information disclosure impact. EPSS score of 0.02% indicates minimal real-world exploitation probability despite the moderate CVSS rating.

Authentication Bypass Wedocs
NVD
CVSS 3.1
5.3
EPSS
0.0%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the weDocs WordPress plugin (versions through 2.3.0) allows authenticated contributors to persist malicious JavaScript in documentation pages by injecting arbitrary values into the 'sectionTitleTag' and 'articleTitleTag' Gutenberg block attributes, which are rendered without sanitization or output escaping in Sidebar block render.php. Any WordPress user who subsequently visits an injected documentation page will execute the attacker's script in their browser context, enabling session hijacking, credential harvesting, or defacement. No public exploit code or CISA KEV listing has been identified, but the low privilege bar (contributor) makes this accessible to a broad class of authenticated WordPress users.

WordPress XSS Wedocs
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization on the BetterDocs-to-weDocs migration AJAX endpoint in the weDocs WordPress plugin (versions up to and including 2.3.0) allows any authenticated subscriber-level user to trigger a full data migration, manipulate documentation content, alter site options, and forcibly deactivate installed BetterDocs and BetterDocs Pro plugins. The vulnerable `do_migration()` function registered under the `wedocs_migrate_betterdocs_to_wedocs` AJAX action performs neither a nonce check via `check_ajax_referer()` nor a privilege check via `current_user_can()`, exposing sensitive administrative operations to the lowest authenticated user tier. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Authentication Bypass WordPress Wedocs
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the weDocs WordPress plugin (all versions through 2.3.0) allows authenticated contributors to inject persistent malicious scripts via the unsanitized 'connectorWidth' block attribute in the Sidebar block renderer (render.php lines 138 and 161). Any site visitor loading an affected documentation page triggers the payload in their browser, enabling session hijacking, credential harvesting, or malicious redirects. No active exploitation is confirmed in CISA KEV and no public exploit has been identified at time of analysis, though the attack technique is low-complexity for anyone with block editor knowledge.

WordPress XSS Wedocs
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization in weDevs weDocs WordPress plugin through version 2.1.18 allows unauthenticated remote attackers to modify content by exploiting incorrectly configured access control security levels. The vulnerability enables unauthorized modification of protected documents via a network request without authentication, though with limited information disclosure impact. EPSS score of 0.02% indicates minimal real-world exploitation probability despite the moderate CVSS rating.

Authentication Bypass Wedocs
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy