{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14574", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-12T12:23:59.405Z", "datePublished": "2026-01-09T06:34:56.372Z", "dateUpdated": "2026-04-08T17:23:36.966Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:36.966Z"}, "affected": [{"vendor": "wedevs", "product": "weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.15", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including third party services API keys."}], "title": "weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot <= 2.1.15 - Unauthenticated Sensitive Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cbca3d1e-0985-43d3-855e-eee07715f670?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/wedocs/tags/2.1.15&new_path=/wedocs/tags/2.1.16#file12"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "German"}], "timeline": [{"time": "2025-12-11T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-12-12T12:40:05.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-08T17:31:31.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-09T19:14:29.751298Z", "id": "CVE-2025-14574", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T19:18:20.856Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14574", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-09T19:14:29.751298Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T19:18:18.381Z"}}], "cna": {"title": "weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot <= 2.1.15 - Unauthenticated Sensitive Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "German"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "wedevs", "product": "weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.15"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-12-12T12:40:05.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-08T17:31:31.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cbca3d1e-0985-43d3-855e-eee07715f670?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/wedocs/tags/2.1.15&new_path=/wedocs/tags/2.1.16#file12"}], "descriptions": [{"lang": "en", "value": "The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including third party services API keys."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:36.966Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14574", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:23:36.966Z", "dateReserved": "2025-12-12T12:23:59.405Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-09T06:34:56.372Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including third party services API keys."}, {"lang": "es", "value": "El plugin weDocs para WordPress es vulnerable a la exposici\u00f3n de informaci\u00f3n sensible en todas las versiones hasta la 2.1.15, inclusive, a trav\u00e9s del endpoint de la API REST `/wp-json/wp/v2/docs/settings`. Esto permite a atacantes no autenticados extraer datos sensibles, incluyendo claves de API de servicios de terceros."}], "id": "CVE-2025-14574", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-09T07:16:00.050", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=/wedocs/tags/2.1.15&new_path=/wedocs/tags/2.1.16#file12"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cbca3d1e-0985-43d3-855e-eee07715f670?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:11:55.268182+00:00", "value": {"mitigation_remediation": ["Upgrade weDocs to version 2.1.16 or later where the issue is fixed.", "Restrict the /wp-json/wp/v2/docs/settings endpoint to authenticated users only, for example by using a firewall rule, .htaccess restriction, or plugin configuration.", "Periodically review the plugin\u2019s REST endpoints and audit exposed data to ensure no inadvertent information disclosure."], "summary": {"action": "Apply Patch", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "All installations of the weDocs plugin with versions 2.1.15 or earlier are affected. The plugin is maintained by wedevs and distributed through the WordPress plugin repository. The vulnerability is present in every installation that has not yet upgraded to the patched release 2.1.16.", "description_and_impact": "The weDocs plugin for WordPress contains an authentication flaw that allows unauthenticated attackers to access the /wp-json/wp/v2/docs/settings REST API. This endpoint returns sensitive configuration data, including third\u2011party API keys, which can be used to compromise connected services. The vulnerability conforms to CWE\u2011200: Information Exposure, leading to confidentiality loss and potential downstream exploitation of the exposed services.", "risk_and_exploitability": "The CVSS score of 5.3 places this vulnerability in the moderate risk category. The EPSS score indicates a very low likelihood of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The issue can be exploited simply by making an unauthenticated GET request to the exposed REST endpoint; no additional privileges are required. This makes the attack straightforward, but the low exploitation probability mitigates the overall risk to some extent."}}}}, "created": "2026-01-09T13:23:32.481839+00:00", "updated": "2026-04-20T21:15:20.638493+00:00", "vendors": ["wedevs", "wedevs$PRODUCT$wedocs", "wordpress", "wordpress$PRODUCT$wordpress"]}