Description
Missing Authorization vulnerability in Fahad Mahmood WP Docs wp-docs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Docs: from n/a through <= 2.2.8.
Published: 2026-02-03
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Broken access control in WP Docs
Action: Apply Patch
AI Analysis

Impact

A missing authorization flaw in the Fahad Mahmood WP Docs plugin allows an attacker to bypass the plugin’s access control settings and potentially view or manipulate documents that should be restricted. The vulnerability is due to incorrectly configured security levels, enabling unauthorized users to perform actions normally limited to privileged roles. This can lead to unauthorized disclosure of sensitive content or unintended modification of documents stored in WordPress.

Affected Systems

WordPress sites utilizing the WP Docs plugin by Fahad Mahmood, versions from the initial release (n/a) through 2.2.8, are affected. The vulnerability applies when the plugin is active and the access control configuration is not properly enforced.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate impact, while an EPSS score below 1% points to a low probability of exploitation in the wild. The flaw is not listed in CISA’s KEV catalog, so it is not known to have been actively exploited. Exploitability typically requires sending crafted requests to the plugin’s endpoints, and no special credentials or elevated privileges are necessary. The attack vector is likely remote via web requests to the affected plugin, making it accessible to any internet‑reachable user of the site.

Generated by OpenCVE AI on April 16, 2026 at 01:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Docs to the latest available version that addresses the access control issue.
  • If an update is not yet available, disable the WP Docs plugin until a patched version can be deployed.
  • Restrict plugin functionality by reviewing and tightening role permissions or applying additional access restrictions through server‑side or .htaccess rules.

Generated by OpenCVE AI on April 16, 2026 at 01:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Fahad Mahmood
Fahad Mahmood wp Docs
Wordpress
Wordpress wordpress
Vendors & Products Fahad Mahmood
Fahad Mahmood wp Docs
Wordpress
Wordpress wordpress

Tue, 03 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Fahad Mahmood WP Docs wp-docs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Docs: from n/a through <= 2.2.8.
Title WordPress WP Docs plugin <= 2.2.8 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Fahad Mahmood Wp Docs
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:52.938Z

Reserved: 2026-01-28T09:50:51.017Z

Link: CVE-2026-24990

cve-icon Vulnrichment

Updated: 2026-02-03T16:25:38.063Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T15:16:18.107

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24990

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:30:20Z

Weaknesses