Description
Missing Authorization vulnerability in vrpr WDV One Page Docs wdv-one-page-docs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WDV One Page Docs: from n/a through <= 1.2.4.
Published: 2026-01-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows an attacker to bypass the security levels configured within the WordPress WDV One Page Docs plugin. As a result, users with insufficient privileges could gain access to functions intended only for higher privileged users, potentially exposing or modifying protected content. The primary impact is a breach of confidentiality and integrity within the plugin’s scope; no remote code execution or denial of service is indicated.

Affected Systems

The flaw affects the WDV One Page Docs WordPress plugin by VRPR, versions up through 1.2.4. Any WordPress site running one of these versions without additional patches is vulnerable.

Risk and Exploitability

The CVSS score of 6.5 classifies this as a medium‑severity issue, while the EPSS score of less than 1% indicates a very low likelihood of exploitation, and it is not listed in the CISA KEV catalog. Attacks are most likely carried out via the plugin’s web interface or API endpoints, leveraging improperly configured access controls. An attacker would need to be authenticated with a low‑privilege account to exploit the flaw, unless the site permits unauthenticated access to the plugin’s features. The exploit requires no advanced privileges beyond basic user access and does not involve arbitrary code execution.

Generated by OpenCVE AI on April 29, 2026 at 10:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WDV One Page Docs plugin to the latest available version (or at least a version beyond 1.2.4).
  • If no newer version exists, disable or remove the plugin from the WordPress installation to eliminate the vulnerability.
  • Review and tighten the WordPress role and capability settings, ensuring that only administrators or explicitly authorized users have access to the plugin’s back‑end features.

Generated by OpenCVE AI on April 29, 2026 at 10:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in vrpr WDV One Page Docs wdv-one-page-docs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WDV One Page Docs: from n/a through <= 1.2.4.
Title WordPress WDV One Page Docs plugin <= 1.2.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:07:23.583Z

Reserved: 2025-12-24T14:00:47.908Z

Link: CVE-2025-68896

cve-icon Vulnrichment

Updated: 2026-01-27T21:25:05.385Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:13.240

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68896

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:00:10Z

Weaknesses