CVE-2026-24990
Unknown Unknown - Not Provided
Missing Authorization in WP Docs ≀ 2.2.8 Enables Unauthorized Access

Publication date: 2026-02-03

Last updated on: 2026-02-03

Assigner: Patchstack

Description
Missing Authorization vulnerability in Fahad Mahmood WP Docs wp-docs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Docs: from n/a through <= 2.2.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24990
EUVD
EUVD-2026-5250
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack wp_docs to 2.2.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24990 is a broken access control vulnerability in the WordPress WP Docs Plugin versions up to and including 2.2.8.

This issue arises from missing authorization, authentication, or nonce token checks in certain functions, allowing unprivileged users to perform actions reserved for higher-privileged roles.

The vulnerability is classified under the OWASP Top 10 category A1: Broken Access Control.

Impact Analysis

This vulnerability allows users with low privilege levels, such as Subscriber or Developer roles, to perform actions that should be restricted to higher-privileged users.

While the CVSS severity score is 5.4, indicating a low priority and low impact threat, it can still lead to unauthorized actions within the WP Docs plugin.

Exploitation of this flaw could compromise the integrity of access control within the affected WordPress site.

Detection Guidance

This vulnerability arises from missing authorization, authentication, or nonce token checks in certain functions of the WP Docs Plugin up to version 2.2.8, allowing unprivileged users to perform actions reserved for higher-privileged roles.

Detection would involve checking the version of the WP Docs Plugin installed on your WordPress system to see if it is version 2.2.8 or earlier.

Since this is a WordPress plugin vulnerability, you can detect it by running commands to identify the plugin version, for example:

  • Using WP-CLI: wp plugin list --status=active
  • Manually checking the plugin version in the WordPress admin dashboard under Plugins.

There are no specific network commands or signatures provided to detect exploitation attempts of this vulnerability.

Mitigation Strategies

The primary mitigation step is to update the WP Docs Plugin to version 2.2.9 or later, where this vulnerability has been fixed.

Users are advised to apply this update as soon as possible to restore proper access control and prevent unprivileged users from exploiting the missing authorization checks.

Additionally, enabling automatic updates for plugins can provide rapid protection against such vulnerabilities in the future.

Compliance Impact

CVE-2026-24990 is a broken access control vulnerability that allows unprivileged users to perform actions reserved for higher-privileged roles due to missing authorization checks.

While the vulnerability represents a security weakness related to access control, the provided information does not explicitly describe its impact on compliance with common standards and regulations such as GDPR or HIPAA.

However, broken access control issues can potentially lead to unauthorized data access, which may affect compliance with regulations that require strict access controls and data protection.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24990. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart