CVE-2026-24990
Missing Authorization in WP Docs β€ 2.2.8 Enables Unauthorized Access
Publication date: 2026-02-03
Last updated on: 2026-02-03
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | wp_docs | to 2.2.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24990 is a broken access control vulnerability in the WordPress WP Docs Plugin versions up to and including 2.2.8.
This issue arises from missing authorization, authentication, or nonce token checks in certain functions, allowing unprivileged users to perform actions reserved for higher-privileged roles.
The vulnerability is classified under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
This vulnerability allows users with low privilege levels, such as Subscriber or Developer roles, to perform actions that should be restricted to higher-privileged users.
While the CVSS severity score is 5.4, indicating a low priority and low impact threat, it can still lead to unauthorized actions within the WP Docs plugin.
Exploitation of this flaw could compromise the integrity of access control within the affected WordPress site.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization, authentication, or nonce token checks in certain functions of the WP Docs Plugin up to version 2.2.8, allowing unprivileged users to perform actions reserved for higher-privileged roles.
Detection would involve checking the version of the WP Docs Plugin installed on your WordPress system to see if it is version 2.2.8 or earlier.
Since this is a WordPress plugin vulnerability, you can detect it by running commands to identify the plugin version, for example:
- Using WP-CLI: wp plugin list --status=active
- Manually checking the plugin version in the WordPress admin dashboard under Plugins.
There are no specific network commands or signatures provided to detect exploitation attempts of this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the WP Docs Plugin to version 2.2.9 or later, where this vulnerability has been fixed.
Users are advised to apply this update as soon as possible to restore proper access control and prevent unprivileged users from exploiting the missing authorization checks.
Additionally, enabling automatic updates for plugins can provide rapid protection against such vulnerabilities in the future.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-24990 is a broken access control vulnerability that allows unprivileged users to perform actions reserved for higher-privileged roles due to missing authorization checks.
While the vulnerability represents a security weakness related to access control, the provided information does not explicitly describe its impact on compliance with common standards and regulations such as GDPR or HIPAA.
However, broken access control issues can potentially lead to unauthorized data access, which may affect compliance with regulations that require strict access controls and data protection.