What the vulnerability does
01Description
The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 2.3.0. This is due to a missing capability check on the do_migration() function registered as the wedocs_migrate_betterdocs_to_wedocs AJAX action, which performs no nonce verification via check_ajax_referer() and no capability check via current_user_can() before executing sensitive operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full BetterDocs-to-weDocs data migration, creating and modifying 'docs' custom post type entries with attacker-controlled titles, updating site options, and deactivating the BetterDocs and BetterDocs Pro plugins via deactivate_plugins().
Explanation of Vulnerability in Simple Terms
02Summary
The weDocs plugin for WordPress contains an authorization flaw that allows authenticated users to modify content they should not have access to. An attacker with a low-privilege account can change data through the plugin's API or interface without proper permission checks. This affects versions up to 2.3.0. Site administrators should update to a version newer than 2.3.0 when available.
What an attacker can do
03Attacker Capabilities
Modify or change plugin data without proper authorization.
Potential impact on your site
04Site Impact
Unauthorized users can alter documentation, knowledge base content, or plugin settings.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WordPress account (e.g., subscriber or contributor).
Key dates
06Disclosure timeline
July 3, 2026
CVE published