{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12505", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-30T13:38:25.116Z", "datePublished": "2025-12-06T04:37:50.190Z", "dateUpdated": "2026-04-08T16:48:00.808Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:00.808Z"}, "affected": [{"vendor": "wedevs", "product": "weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.14", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The weDocs plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.1.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the create_item_permissions_check function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global plugin settings."}], "title": "weDocs <= 2.1.14 - Missing Authorization to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3ec54ec6-0ff1-4290-85d0-d691a1832627?source=cve"}, {"url": "https://github.com/weDevsOfficial/wedocs-plugin/blob/develop/includes/API/SettingsApi.php"}, {"url": "https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.13/includes/API/SettingsApi.php#L115"}, {"url": "https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.13/includes/API/SettingsApi.php#L179"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3403375%40wedocs%2Ftrunk&old=3382516%40wedocs%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-285 Improper Authorization", "cweId": "CWE-285", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2025-11-10T11:29:35.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-05T15:51:21.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-08T20:51:20.260035Z", "id": "CVE-2025-12505", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T20:51:33.344Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12505", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-08T20:51:20.260035Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T20:51:27.733Z"}}], "cna": {"title": "weDocs <= 2.1.14 - Missing Authorization to Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "wedevs", "product": "weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.1.14"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-10T11:29:35.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-05T15:51:21.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3ec54ec6-0ff1-4290-85d0-d691a1832627?source=cve"}, {"url": "https://github.com/weDevsOfficial/wedocs-plugin/blob/develop/includes/API/SettingsApi.php"}, {"url": "https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.13/includes/API/SettingsApi.php#L115"}, {"url": "https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.13/includes/API/SettingsApi.php#L179"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3403375%40wedocs%2Ftrunk&old=3382516%40wedocs%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The weDocs plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.1.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the create_item_permissions_check function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global plugin settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285 Improper Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-06T04:37:50.190Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12505", "state": "PUBLISHED", "dateUpdated": "2025-12-08T20:51:33.344Z", "dateReserved": "2025-10-30T13:38:25.116Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-06T04:37:50.190Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The weDocs plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.1.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the create_item_permissions_check function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global plugin settings."}], "id": "CVE-2025-12505", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-06T05:16:43.790", "references": [{"source": "security@wordfence.com", "url": "https://github.com/weDevsOfficial/wedocs-plugin/blob/develop/includes/API/SettingsApi.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.13/includes/API/SettingsApi.php#L115"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.13/includes/API/SettingsApi.php#L179"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3403375%40wedocs%2Ftrunk&old=3382516%40wedocs%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3ec54ec6-0ff1-4290-85d0-d691a1832627?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:16:14.799342+00:00", "value": {"mitigation_remediation": ["Upgrade the weDocs plugin to the newest release from the vendor that includes the missing authorization check, if one is available.", "If no update exists, restrict users who hold the Subscriber role or lower from accessing the plugin\u2019s Settings API or related admin pages, for example by adjusting role capabilities or using a role\u2011management plugin to remove the required capability.", "As a temporary workaround, deactivate or uninstall the weDocs plugin until an official fix is released, or manually patch the SettingsApi.php file to add a proper capability check before allowing settings changes."], "summary": {"action": "Check patch", "impact": "Unauthorized modification of global plugin settings"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the weDocs plugin version 2.1.14 or earlier are vulnerable. The plugin, sold by wedevs as an AI\u2011powered knowledge base and documentation platform, must be examined on all installations running these legacy releases.", "description_and_impact": "The weDocs plugin for WordPress contains an authorization flaw that allows any authenticated user with a Subscriber role or higher to modify the plugin\u2019s global settings. This happens because the create_item_permissions_check function in the Settings API does not verify that the caller has sufficient privileges. If exploited, an attacker can alter configuration values that affect the entire knowledge base, potentially redirecting content or disabling documentation features.", "risk_and_exploitability": "The vulnerability is scored with a CVSS of 5.4, indicating moderate severity. The EPSS score of less than 1% suggests a low probability of current exploitation, and the vulnerability is not present in the CISA KEV catalog. An attacker must first authenticate to the WordPress site with a Subscriber or greater role; no additional conditions such as remote network exposure are required. Once authenticated, the attacker can call the Settings API endpoint to change any configuration parameter."}}}}, "created": "2025-12-08T09:39:42.991491+00:00", "updated": "2026-04-22T12:30:16.826110+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}