{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24990", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:51.017Z", "datePublished": "2026-02-03T14:08:36.720Z", "dateUpdated": "2026-04-28T16:14:52.938Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-docs", "product": "WP Docs", "vendor": "Fahad Mahmood", "versions": [{"changes": [{"at": "2.2.9", "status": "unaffected"}], "lessThanOrEqual": "2.2.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "hhhai | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:01.091Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Fahad Mahmood WP Docs wp-docs allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Docs: from n/a through <= 2.2.8.</p>"}], "value": "Missing Authorization vulnerability in Fahad Mahmood WP Docs wp-docs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Docs: from n/a through <= 2.2.8."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:52.938Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-docs/vulnerability/wordpress-wp-docs-plugin-2-2-8-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Docs plugin <= 2.2.8 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T16:26:05.762411Z", "id": "CVE-2026-24990", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:39:16.897Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24990", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T16:26:05.762411Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T16:25:38.063Z"}}], "cna": {"title": "WordPress WP Docs plugin <= 2.2.8 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "hhhai | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Fahad Mahmood", "product": "WP Docs", "versions": [{"status": "affected", "changes": [{"at": "2.2.9", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.2.8"}], "packageName": "wp-docs", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:33.000Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-docs/vulnerability/wordpress-wp-docs-plugin-2-2-8-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Fahad Mahmood WP Docs wp-docs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Docs: from n/a through <= 2.2.8.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Fahad Mahmood WP Docs wp-docs allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Docs: from n/a through <= 2.2.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:47.756Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24990", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:39:16.897Z", "dateReserved": "2026-01-28T09:50:51.017Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-03T14:08:36.720Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Fahad Mahmood WP Docs wp-docs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Docs: from n/a through <= 2.2.8."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Fahad Mahmood WP Docs wp-docs permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WP Docs: desde n/a hasta &lt;= 2.2.8."}], "id": "CVE-2026-24990", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-03T15:16:18.107", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-docs/vulnerability/wordpress-wp-docs-plugin-2-2-8-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:16:15.726663+00:00", "value": {"mitigation_remediation": ["Update WP Docs to the latest available version that addresses the access control issue.", "If an update is not yet available, disable the WP Docs plugin until a patched version can be deployed.", "Restrict plugin functionality by reviewing and tightening role permissions or applying additional access restrictions through server\u2011side or .htaccess rules."], "summary": {"action": "Apply Patch", "impact": "Broken access control in WP Docs"}, "threat_synthesis": {"affected_systems": "WordPress sites utilizing the WP Docs plugin by Fahad Mahmood, versions from the initial release (n/a) through 2.2.8, are affected. The vulnerability applies when the plugin is active and the access control configuration is not properly enforced.", "description_and_impact": "A missing authorization flaw in the Fahad Mahmood WP Docs plugin allows an attacker to bypass the plugin\u2019s access control settings and potentially view or manipulate documents that should be restricted. The vulnerability is due to incorrectly configured security levels, enabling unauthorized users to perform actions normally limited to privileged roles. This can lead to unauthorized disclosure of sensitive content or unintended modification of documents stored in WordPress.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate impact, while an EPSS score below 1% points to a low probability of exploitation in the wild. The flaw is not listed in CISA\u2019s KEV catalog, so it is not known to have been actively exploited. Exploitability typically requires sending crafted requests to the plugin\u2019s endpoints, and no special credentials or elevated privileges are necessary. The attack vector is likely remote via web requests to the affected plugin, making it accessible to any internet\u2011reachable user of the site."}}}}, "created": "2026-02-04T12:08:54.638822+00:00", "updated": "2026-04-16T01:30:20.302288+00:00", "vendors": ["fahad_mahmood", "fahad_mahmood$PRODUCT$wp_docs", "wordpress", "wordpress$PRODUCT$wordpress"]}