CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-12729

mediumCVSS 4.3covered by 1 sourcefirst seen 2026-07-03
The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 2.3.0. This is due to a missing capability check on the do_migration() function registered as the wedocs_migrate_betterdocs_to_wedocs AJAX action, which performs no nonce verification via check_ajax_referer() and no capability check via current_user_can() before executing sensitive operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full BetterDocs-to-weDocs data migration, creating and modifying 'docs' custom post type entries with attacker-controlled titles, updating site options, and deactivating the BetterDocs and BetterDocs Pro plugins via deactivate_plugins().

⚡ Watch CVE-2026-12729

Get an email if CVE-2026-12729 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-12729

CVE.org record

Embed the live status

CVE-2026-12729 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-12729 status](https://www.csirts.com/badge/CVE-2026-12729)](https://www.csirts.com/cve/CVE-2026-12729)