CVE-2026-12729 MEDIUM

CVE-2026-12729: weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot <= 2.3.0 - Missing Authorization to Authenticated (Subscriber+) Data Migration via wedocs_migrate_betterdocs_to_wedocs AJAX Action

Vendor Wedevs
Product weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot
Weakness CWE-862 · Missing authorization
Published July 3, 2026
Last update July 3, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 2.3.0. This is due to a missing capability check on the do_migration() function registered as the wedocs_migrate_betterdocs_to_wedocs AJAX action, which performs no nonce verification via check_ajax_referer() and no capability check via current_user_can() before executing sensitive operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full BetterDocs-to-weDocs data migration, creating and modifying 'docs' custom post type entries with attacker-controlled titles, updating site options, and deactivating the BetterDocs and BetterDocs Pro plugins via deactivate_plugins().

Explanation of Vulnerability in Simple Terms

02Summary

The weDocs plugin for WordPress contains an authorization flaw that allows authenticated users to modify content they should not have access to. An attacker with a low-privilege account can change data through the plugin's API or interface without proper permission checks. This affects versions up to 2.3.0. Site administrators should update to a version newer than 2.3.0 when available.

What an attacker can do

03Attacker Capabilities

Modify or change plugin data without proper authorization.

Potential impact on your site

04Site Impact

Unauthorized users can alter documentation, knowledge base content, or plugin settings.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WordPress account (e.g., subscriber or contributor).

Key dates

06Disclosure timeline

July 3, 2026 CVE published

Related vulnerabilities

08Related CVE