Description
The weDocs plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.1.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the create_item_permissions_check function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global plugin settings.
Published: 2025-12-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of global plugin settings
Action: Check patch
AI Analysis

Impact

The weDocs plugin for WordPress contains an authorization flaw that allows any authenticated user with a Subscriber role or higher to modify the plugin’s global settings. This happens because the create_item_permissions_check function in the Settings API does not verify that the caller has sufficient privileges. If exploited, an attacker can alter configuration values that affect the entire knowledge base, potentially redirecting content or disabling documentation features.

Affected Systems

WordPress sites that use the weDocs plugin version 2.1.14 or earlier are vulnerable. The plugin, sold by wedevs as an AI‑powered knowledge base and documentation platform, must be examined on all installations running these legacy releases.

Risk and Exploitability

The vulnerability is scored with a CVSS of 5.4, indicating moderate severity. The EPSS score of less than 1% suggests a low probability of current exploitation, and the vulnerability is not present in the CISA KEV catalog. An attacker must first authenticate to the WordPress site with a Subscriber or greater role; no additional conditions such as remote network exposure are required. Once authenticated, the attacker can call the Settings API endpoint to change any configuration parameter.

Generated by OpenCVE AI on April 22, 2026 at 12:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the weDocs plugin to the newest release from the vendor that includes the missing authorization check, if one is available.
  • If no update exists, restrict users who hold the Subscriber role or lower from accessing the plugin’s Settings API or related admin pages, for example by adjusting role capabilities or using a role‑management plugin to remove the required capability.
  • As a temporary workaround, deactivate or uninstall the weDocs plugin until an official fix is released, or manually patch the SettingsApi.php file to add a proper capability check before allowing settings changes.

Generated by OpenCVE AI on April 22, 2026 at 12:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Dec 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 08 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
Description The weDocs plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.1.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the create_item_permissions_check function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global plugin settings.
Title weDocs <= 2.1.14 - Missing Authorization to Settings Update
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:00.808Z

Reserved: 2025-10-30T13:38:25.116Z

Link: CVE-2025-12505

cve-icon Vulnrichment

Updated: 2025-12-08T20:51:27.733Z

cve-icon NVD

Status : Deferred

Published: 2025-12-06T05:16:43.790

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12505

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:30:16Z

Weaknesses