{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25402", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:12.987Z", "datePublished": "2026-02-19T08:27:04.069Z", "dateUpdated": "2026-04-28T16:14:57.677Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "echo-knowledge-base", "product": "Knowledge Base for Documentation, FAQs with AI Assistance", "vendor": "echoplugins", "versions": [{"changes": [{"at": "16.20.0", "status": "unaffected"}], "lessThanOrEqual": "16.011.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:05.608Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in echoplugins Knowledge Base for Documentation, FAQs with AI Assistance echo-knowledge-base allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Knowledge Base for Documentation, FAQs with AI Assistance: from n/a through <= 16.011.0.</p>"}], "value": "Missing Authorization vulnerability in echoplugins Knowledge Base for Documentation, FAQs with AI Assistance echo-knowledge-base allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Knowledge Base for Documentation, FAQs with AI Assistance: from n/a through <= 16.011.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:57.677Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/echo-knowledge-base/vulnerability/wordpress-knowledge-base-for-documentation-faqs-with-ai-assistance-plugin-16-011-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Knowledge Base for Documentation, FAQs with AI Assistance plugin <= 16.011.0 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T19:11:50.479924Z", "id": "CVE-2026-25402", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:14:19.061Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25402", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:12.987Z", "datePublished": "2026-02-19T08:27:04.069Z", "dateUpdated": "2026-04-28T13:14:19.061Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "echo-knowledge-base", "product": "Knowledge Base for Documentation, FAQs with AI Assistance", "vendor": "echoplugins", "versions": [{"changes": [{"at": "16.20.0", "status": "unaffected"}], "lessThanOrEqual": "16.011.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:26:48.391Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in echoplugins Knowledge Base for Documentation, FAQs with AI Assistance echo-knowledge-base allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Knowledge Base for Documentation, FAQs with AI Assistance: from n/a through <= 16.011.0.</p>"}], "value": "Missing Authorization vulnerability in echoplugins Knowledge Base for Documentation, FAQs with AI Assistance echo-knowledge-base allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Knowledge Base for Documentation, FAQs with AI Assistance: from n/a through <= 16.011.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:49.950Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/echo-knowledge-base/vulnerability/wordpress-knowledge-base-for-documentation-faqs-with-ai-assistance-plugin-16-011-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Knowledge Base for Documentation, FAQs with AI Assistance plugin <= 16.011.0 - Broken Access Control vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25402", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T19:11:50.479924Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T19:10:31.080Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in echoplugins Knowledge Base for Documentation, FAQs with AI Assistance echo-knowledge-base allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Knowledge Base for Documentation, FAQs with AI Assistance: from n/a through <= 16.011.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en echoplugins Knowledge Base for Documentation, FAQs con AI Assistance echo-knowledge-base permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Knowledge Base for Documentation, FAQs with AI Assistance: desde n/a hasta &lt;= 16.011.0."}], "id": "CVE-2026-25402", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:22.063", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/echo-knowledge-base/vulnerability/wordpress-knowledge-base-for-documentation-faqs-with-ai-assistance-plugin-16-011-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,16.011.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Knowledge Base for Documentation, FAQs with AI Assistance", "source": "cna", "vendor": "echoplugins"}, "product": "knowledge_base_for_documentation,_faqs_with_ai_assistance", "vendor": "echoplugins"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:18:30.361003+00:00", "value": {"mitigation_remediation": ["Determine which WordPress sites host the Knowledge Base plugin at version 16.011.0 or earlier.", "Upgrade the plugin to the latest release that addresses the broken access control, or replace it with a vetted alternative if no patch is available.", "Reconfigure the plugin\u2019s permission settings so that only administrators or explicitly authorized roles can perform privileged actions, and validate these settings after updating."], "summary": {"action": "Apply Patch", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed EchoPlugins\u2019 Knowledge Base for Documentation, FAQs with AI Assistance plugin at version 16.011.0 or earlier are affected. The issue originates within the plugin\u2019s internal role checks and applies to all instances where the plugin is active.", "description_and_impact": "The vulnerability is a missing authorization flaw that allows exploitation of incorrectly configured access control security levels in the Knowledge Base for Documentation, FAQs with AI Assistance plugin. An attacker who can reach the exposed plugin functions may perform actions normally restricted to privileged users, potentially reading, modifying, or deleting content managed through the plugin, thereby compromising data integrity and confidentiality.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate risk level, while the EPSS score of less than 1% shows a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through the web application layer; an attacker with access to the WordPress environment\u2014either via legitimate user credentials or by exploiting a user that has been granted improper privileges\u2014could bypass authorization and access or modify content within the plugin. The weakness is classified as CWE-862 (Missing Authorization), highlighting the nature of the flaw."}}}}, "created": "2026-02-20T10:08:29.250590+00:00", "updated": "2026-04-16T00:30:18.853702+00:00", "vendors": ["echoplugins", "echoplugins$PRODUCT$knowledge_base_for_documentation,_faqs_with_ai_assistance", "wordpress", "wordpress$PRODUCT$wordpress"]}