Description
The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit any documentation post. The vulnerability was partially patched in version 2.1.16.
Published: 2026-01-23
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of documentation posts
Action: Immediate Patch
AI Analysis

Impact

The weDocs AI Powered Knowledge Base plugin for WordPress has a missing capability check that lets any authenticated user with Subscriber-level access edit or delete any documentation post. This flaw permits an attacker to alter or remove content, compromising data integrity and potentially propagating misinformation. The weakness is a classic missing authorization failure, identified as CWE‑862.

Affected Systems

The plugin sold by wedevs, known as weDocs, is vulnerable in all releases up to and including version 2.1.16. Users running any of those versions should consider the plugin affected.

Risk and Exploitability

The CVSS score of 4.3 suggests moderate severity, and the EPSS score of less than 1 % indicates a very low probability of exploitation in the wild. The flaw is not yet listed in CISA’s KEV catalog. Because the attack requires authentication, the attack vector is limited to users who have Subscriber or higher permissions, but once accessed the attacker can modify any post without restriction. The partial patch in 2.1.16 adds the missing capability check, so installing that version eliminates the vulnerability.

Generated by OpenCVE AI on April 21, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the weDocs plugin to version 2.1.16 or later, which fixes the missing capability check.
  • Remove the ‘wedocs_user_documentation_handling_capabilities’ permission from Subscriber and lower roles, or use a role‑management plugin to revoke that capability, thereby preventing unauthorized edits.
  • If an upgrade is not immediately available, disable or uninstall the weDocs plugin until a secure version can be applied.

Generated by OpenCVE AI on April 21, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wedevs
Wedevs wedocs
Wordpress
Wordpress wordpress
Vendors & Products Wedevs
Wedevs wedocs
Wordpress
Wordpress wordpress

Fri, 23 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 13:45:00 +0000

Type Values Removed Values Added
Description The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit any documentation post. The vulnerability was partially patched in version 2.1.16.
Title weDocs <= 2.1.16 - Missing Authorization to Authenticated (Subscriber+) Documentation Post Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wedevs Wedocs
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:20:52.515Z

Reserved: 2025-12-02T19:00:31.637Z

Link: CVE-2025-13921

cve-icon Vulnrichment

Updated: 2026-01-23T18:39:57.474Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T14:16:12.663

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13921

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:30:22Z

Weaknesses