Description
The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including third party services API keys.
Published: 2026-01-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Apply Patch
AI Analysis

Impact

The weDocs plugin for WordPress contains an authentication flaw that allows unauthenticated attackers to access the /wp-json/wp/v2/docs/settings REST API. This endpoint returns sensitive configuration data, including third‑party API keys, which can be used to compromise connected services. The vulnerability conforms to CWE‑200: Information Exposure, leading to confidentiality loss and potential downstream exploitation of the exposed services.

Affected Systems

All installations of the weDocs plugin with versions 2.1.15 or earlier are affected. The plugin is maintained by wedevs and distributed through the WordPress plugin repository. The vulnerability is present in every installation that has not yet upgraded to the patched release 2.1.16.

Risk and Exploitability

The CVSS score of 5.3 places this vulnerability in the moderate risk category. The EPSS score indicates a very low likelihood of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The issue can be exploited simply by making an unauthenticated GET request to the exposed REST endpoint; no additional privileges are required. This makes the attack straightforward, but the low exploitation probability mitigates the overall risk to some extent.

Generated by OpenCVE AI on April 20, 2026 at 21:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade weDocs to version 2.1.16 or later where the issue is fixed.
  • Restrict the /wp-json/wp/v2/docs/settings endpoint to authenticated users only, for example by using a firewall rule, .htaccess restriction, or plugin configuration.
  • Periodically review the plugin’s REST endpoints and audit exposed data to ensure no inadvertent information disclosure.

Generated by OpenCVE AI on April 20, 2026 at 21:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wedevs
Wedevs wedocs
Wordpress
Wordpress wordpress
Vendors & Products Wedevs
Wedevs wedocs
Wordpress
Wordpress wordpress

Fri, 09 Jan 2026 06:45:00 +0000

Type Values Removed Values Added
Description The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including third party services API keys.
Title weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot <= 2.1.15 - Unauthenticated Sensitive Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wedevs Wedocs
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:23:36.966Z

Reserved: 2025-12-12T12:23:59.405Z

Link: CVE-2025-14574

cve-icon Vulnrichment

Updated: 2026-01-09T19:18:18.381Z

cve-icon NVD

Status : Deferred

Published: 2026-01-09T07:16:00.050

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14574

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:15:20Z

Weaknesses