PT-2026-55440 · Wedevs · Wedocs: Ai Powered Knowledge Base

Prism

·

Published

2026-07-03

·

Updated

2026-07-03

·

CVE-2026-12729

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 2.3.0. This is due to a missing capability check on the do migration() function registered as the wedocs migrate betterdocs to wedocs AJAX action, which performs no nonce verification via check ajax referer() and no capability check via current user can() before executing sensitive operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full BetterDocs-to-weDocs data migration, creating and modifying 'docs' custom post type entries with attacker-controlled titles, updating site options, and deactivating the BetterDocs and BetterDocs Pro plugins via deactivate plugins().

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-12729

Affected Products

Wedocs: Ai Powered Knowledge Base