{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13921", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-02T19:00:31.637Z", "datePublished": "2026-01-23T13:24:24.015Z", "dateUpdated": "2026-04-08T17:20:52.515Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:52.515Z"}, "affected": [{"vendor": "wedevs", "product": "weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.16", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit any documentation post. The vulnerability was partially patched in version 2.1.16."}], "title": "weDocs <= 2.1.16 - Missing Authorization to Authenticated (Subscriber+) Documentation Post Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c56234f3-7dd6-4dff-887d-5ddbf0cb7d3c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.14/includes/functions.php#L506"}, {"url": "https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.14/includes/Installer.php#L21"}, {"url": "https://plugins.trac.wordpress.org/changeset/3426704/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3440068/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Chokri Hammedi"}], "timeline": [{"time": "2025-12-02T19:16:39.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-22T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T18:39:39.179262Z", "id": "CVE-2025-13921", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T18:40:01.230Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13921", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T18:39:39.179262Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T18:39:57.474Z"}}], "cna": {"title": "weDocs <= 2.1.16 - Missing Authorization to Authenticated (Subscriber+) Documentation Post Update", "credits": [{"lang": "en", "type": "finder", "value": "Chokri Hammedi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wedevs", "product": "weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.16"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-02T19:16:39.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-22T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c56234f3-7dd6-4dff-887d-5ddbf0cb7d3c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.14/includes/functions.php#L506"}, {"url": "https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.14/includes/Installer.php#L21"}, {"url": "https://plugins.trac.wordpress.org/changeset/3426704/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3440068/"}], "descriptions": [{"lang": "en", "value": "The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit any documentation post. The vulnerability was partially patched in version 2.1.16."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:52.515Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13921", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:20:52.515Z", "dateReserved": "2025-12-02T19:00:31.637Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-23T13:24:24.015Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit any documentation post. The vulnerability was partially patched in version 2.1.16."}, {"lang": "es", "value": "El plugin weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki &amp; AI Chatbot para WordPress es vulnerable a la modificaci\u00f3n o p\u00e9rdida de datos no autorizada debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n 'wedocs_user_documentation_handling_capabilities' en todas las versiones hasta la 2.1.16, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, editen cualquier publicaci\u00f3n de documentaci\u00f3n. La vulnerabilidad fue parcheada parcialmente en la versi\u00f3n 2.1.16."}], "id": "CVE-2025-13921", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-23T14:16:12.663", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.14/includes/Installer.php#L21"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.14/includes/functions.php#L506"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3426704/"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3440068/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c56234f3-7dd6-4dff-887d-5ddbf0cb7d3c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:21:20.162005+00:00", "value": {"mitigation_remediation": ["Upgrade the weDocs plugin to version\u202f2.1.16 or later, which fixes the missing capability check.", "Remove the \u2018wedocs_user_documentation_handling_capabilities\u2019 permission from Subscriber and lower roles, or use a role\u2011management plugin to revoke that capability, thereby preventing unauthorized edits.", "If an upgrade is not immediately available, disable or uninstall the weDocs plugin until a secure version can be applied."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized modification of documentation posts"}, "threat_synthesis": {"affected_systems": "The plugin sold by wedevs, known as weDocs, is vulnerable in all releases up to and including version\u202f2.1.16. Users running any of those versions should consider the plugin affected.", "description_and_impact": "The weDocs AI Powered Knowledge Base plugin for WordPress has a missing capability check that lets any authenticated user with Subscriber-level access edit or delete any documentation post. This flaw permits an attacker to alter or remove content, compromising data integrity and potentially propagating misinformation. The weakness is a classic missing authorization failure, identified as CWE\u2011862.", "risk_and_exploitability": "The CVSS score of 4.3 suggests moderate severity, and the EPSS score of less than\u202f1\u202f% indicates a very low probability of exploitation in the wild. The flaw is not yet listed in CISA\u2019s KEV catalog. Because the attack requires authentication, the attack vector is limited to users who have Subscriber or higher permissions, but once accessed the attacker can modify any post without restriction. The partial patch in 2.1.16 adds the missing capability check, so installing that version eliminates the vulnerability."}}}}, "created": "2026-01-26T11:54:21.592869+00:00", "updated": "2026-04-21T00:30:22.967748+00:00", "vendors": ["wedevs", "wedevs$PRODUCT$wedocs", "wordpress", "wordpress$PRODUCT$wordpress"]}