CVE-2025-12505
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-06

Last updated on: 2025-12-08

Assigner: Wordfence

Description
The weDocs plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.1.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the create_item_permissions_check function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global plugin settings.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-06
Last Modified
2025-12-08
Generated
2026-06-16
AI Q&A
2025-12-06
EPSS Evaluated
2026-06-14
NVD
CVE-2025-12505
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wedevs wedocs *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the weDocs WordPress plugin allows authenticated users with Subscriber-level access or higher to bypass proper authorization checks in the create_item_permissions_check function. This means these users can modify global plugin settings without having the appropriate permissions.

Impact Analysis

This vulnerability can allow low-privileged authenticated users to change global settings of the weDocs plugin, potentially leading to unauthorized configuration changes that could affect the security, functionality, or availability of the plugin and the WordPress site.

Compliance Impact

The vulnerability allows authenticated users with Subscriber-level access and above to modify global plugin settings without proper authorization checks. This unauthorized modification capability could potentially lead to changes in how data is handled or exposed, which may impact compliance with standards like GDPR or HIPAA if sensitive data or privacy controls are affected. However, the provided resources do not explicitly discuss the impact on compliance with these regulations.

Detection Guidance

This vulnerability involves unauthorized access to the WeDocs WordPress plugin settings via its REST API, specifically through the 'create_item_permissions_check' function. To detect exploitation attempts, monitor REST API POST requests to the endpoint '/wp/v2/docs/settings' that attempt to modify plugin settings. You can check your web server logs or use tools like curl to test access. For example, a command to test if unauthorized modification is possible (requires authentication) could be: curl -X POST -u subscriber_user:password https://yourwordpresssite.com/wp-json/wp/v2/docs/settings -d '{"settings": {"name": "test"}}' -H "Content-Type: application/json" Additionally, review WordPress logs or audit plugins for unusual changes to the 'wedocs_settings' option. Note: The vulnerability requires authenticated users with Subscriber-level access or higher. [2]

Mitigation Strategies

Immediate mitigation steps include: 1. Update the WeDocs plugin to a version later than 2.1.14 where this vulnerability is fixed. 2. Restrict or review user roles and permissions, ensuring that Subscriber-level users do not have unnecessary access. 3. Temporarily disable the WeDocs plugin if an update is not immediately available. 4. Monitor and audit changes to the 'wedocs_settings' option in the WordPress database. 5. Implement additional access controls or security plugins that limit REST API access. These steps help prevent unauthorized modification of global plugin settings via the vulnerable REST API endpoint.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12505. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart