{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39520", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:03.414Z", "datePublished": "2026-04-08T08:30:15.736Z", "dateUpdated": "2026-04-08T08:30:15.736Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wedocs", "product": "weDocs", "vendor": "weDevs", "versions": [{"changes": [{"at": "2.2.1", "status": "unaffected"}], "lessThanOrEqual": "2.1.18", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "hhhai | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:59.468Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in weDevs weDocs wedocs allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects weDocs: from n/a through <= 2.1.18.</p>"}], "value": "Missing Authorization vulnerability in weDevs weDocs wedocs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects weDocs: from n/a through <= 2.1.18."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:15.736Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wedocs/vulnerability/wordpress-wedocs-plugin-2-1-18-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress weDocs plugin <= 2.1.18 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in weDevs weDocs wedocs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects weDocs: from n/a through <= 2.1.18."}], "id": "CVE-2026-39520", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:25.630", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wedocs/vulnerability/wordpress-wedocs-plugin-2-1-18-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.1.18]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[2.2.1,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "weDocs", "source": "cna", "vendor": "weDevs"}, "product": "wedocs", "vendor": "wedevs"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:20:24.671504+00:00", "value": {"mitigation_remediation": ["Upgrade the weDocs plugin to 2.1.19 or later.", "If an upgrade is not immediately possible, disable or restrict the plugin for non-admin users by reviewing WordPress role capabilities and removing public access to plugin pages.", "Monitor site logs for abnormal activity targeting plugin URLs and remove the plugin from the site if it is not required."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the weDocs plugin from weDevs, versions up to 2.1.18, are impacted. Administrators should verify the installed plugin version and any customizations that might expose restricted areas.", "description_and_impact": "The vulnerability is a missing authorization flaw that enables users lacking proper permissions to exploit incorrectly configured access control settings within the weDocs plugin. This flaw can allow an attacker to read, modify, or otherwise interact with content or settings that should be restricted to privileged users, potentially exposing private data or undermining the integrity of the documentation site.", "risk_and_exploitability": "Because the flaw is accessed via standard plugin web interfaces, it is likely exploitable by any authenticated or even unauthenticated user with sufficient access to the WordPress installation. No current EPSS score or CISA KEV listing is available, but the inherent nature of a broken access control flaw suggests a substantial risk to confidentiality, integrity, and availability of site content."}}}}, "created": "2026-04-08T19:30:29.890996+00:00", "updated": "2026-04-08T19:42:46.529933+00:00", "vendors": ["wedevs", "wedevs$PRODUCT$wedocs", "wordpress", "wordpress$PRODUCT$wordpress"]}