Missing Authorization Vulnerability in weDocs Plugin for WordPress
CVE-2026-12729

4.3MEDIUM

What is CVE-2026-12729?

The weDocs plugin for WordPress experiences a vulnerability due to insufficient authorization checks in the do_migration() function. The AJAX action wedocs_migrate_betterdocs_to_wedocs lacks nonce verification and capability checks, allowing authenticated users with Subscriber-level permissions or higher to initiate unauthorized data migrations. This exploitation can lead to the creation or modification of 'docs' custom post entries under attacker-controlled titles, changes to site options, and the potential deactivation of the BetterDocs and BetterDocs Pro plugins, posing significant operational threats to websites using this plugin.

Affected Version(s)

weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot 0 <= 2.3.0

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

PRISM
.