CVE Catalog

CVE-2026-12729

MediumCVSS 4.3
Published: Translated: NVD NIST

Summary

The weDocs plugin for WordPress up to version 2.3.0 has a missing authorization vulnerability in the do_migration() function. Authenticated attackers with Subscriber-level access can trigger a full data migration from BetterDocs to weDocs, creating and modifying 'docs' custom post type entries, updating site options, and deactivating BetterDocs and BetterDocs Pro plugins.

Risk Assessment

The risk includes unauthorized modification of documentation content, changes to site settings, and deactivation of critical plugins, potentially leading to data loss and service disruption.

Recommendation

Immediately update the weDocs plugin to the latest version and check for any unauthorized data migrations.

Original NVD description (English source)

The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 2.3.0. This is due to a missing capability check on the do_migration() function registered as the wedocs_migrate_betterdocs_to_wedocs AJAX action, which performs no nonce verification via check_ajax_referer() and no capability check via current_user_can() before executing sensitive operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full BetterDocs-to-weDocs data migration, creating and modifying 'docs' custom post type entries with attacker-controlled titles, updating site options, and deactivating the BetterDocs and BetterDocs Pro plugins via deactivate_plugins().

Vulnerability data from NVD (NIST) · CISA KEV · EPSS