Executive Summary

The weDocs plugin for WordPress, up to version 2.1.15, has a vulnerability in its REST API endpoint `/wp-json/wp/v2/docs/settings` that allows unauthenticated attackers to access sensitive information. Specifically, attackers can extract sensitive data such as API keys for third-party services without needing to log in or have permissions. [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information, including third-party service API keys. Such exposure can allow attackers to misuse these keys, potentially leading to unauthorized access to external services, data breaches, or further compromise of your WordPress environment and associated services. [2]

Useful 0 Not Useful 0

Detection Guidance

You can detect this vulnerability by checking if your WordPress installation is running the weDocs plugin version 2.1.15 or earlier. Additionally, monitoring for unauthenticated requests to the REST API endpoint `/wp-json/wp/v2/docs/settings` could indicate exploitation attempts. Specific commands to check the plugin version include: `wp plugin list | grep wedocs` (using WP-CLI) or inspecting the plugin version in the WordPress admin dashboard. To detect suspicious API calls, you can use network monitoring tools like `tcpdump` or `Wireshark` filtering HTTP requests to `/wp-json/wp/v2/docs/settings`. [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the weDocs plugin to version 2.1.16 or later, which includes fixes that improve access control and prevent sensitive information exposure via the REST API. Until the update is applied, restrict access to the `/wp-json/wp/v2/docs/settings` endpoint if possible, for example by using firewall rules or security plugins to block unauthenticated access. [2]

Useful 0 Not Useful 0