PT-2026-55440 · Wedevs · Wedocs: Ai Powered Knowledge Base
Prism
·
Published
2026-07-03
·
Updated
2026-07-03
·
CVE-2026-12729
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 2.3.0. This is due to a missing capability check on the do migration() function registered as the wedocs migrate betterdocs to wedocs AJAX action, which performs no nonce verification via check ajax referer() and no capability check via current user can() before executing sensitive operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full BetterDocs-to-weDocs data migration, creating and modifying 'docs' custom post type entries with attacker-controlled titles, updating site options, and deactivating the BetterDocs and BetterDocs Pro plugins via deactivate plugins().
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wedocs: Ai Powered Knowledge Base