The vulnerability is a missing authorization flaw in the WP Docs plugin, allowing unauthorized users to obtain access to areas of the website that are intended to be controlled, such as documentation pages marked as private or restricted by the site owner. The flaw could enable a threat actor to read confidential documents, modify content, or perform other privileged actions if the plugin lacks proper permissions checks. Because the exploit does not require authentication, it threatens the confidentiality and integrity of the site’s documentation resources.

Vendor: Fahad Mahmood; Product: WP Docs plugin for WordPress. Versions impacted include all releases prior to 2.2.7; any installation with a version number lower than 2.2.7 or an unknown version is considered vulnerable until upgraded. No other product variants or sub‑products are listed in the CVE data.

The CVSS score of 4.3 indicates medium severity, and an EPSS score of less than 1% suggests that, at the time of this analysis, the probability of real‑world exploitation is very low. The vulnerability is not listed in the CISA KEV catalog. The plugin’s code is executed on every request to the site’s admin or document pages, so the most likely attack vector would be a remote web request that targets a URL served by the WP Docs plugin. While the find‑ability of the flaw is short‑lived, the lack of immediate exploit in the public domain means monitoring remains prudent.