What happened
Two stored XSS vulnerabilities (CVE-2026-12731 and CVE-2026-12734, both CVSS 6.4 Medium, published 2026-07-03) affect the weDocs WordPress plugin (an AI-powered knowledge-base and chatbot plugin) through version 2.3.0. CVE-2026-12731 affects the sectionTitleTag and articleTitleTag block attributes; CVE-2026-12734 affects the connectorWidth block attribute. Both are insufficiently sanitised before output in render.php, allowing a Contributor-role or higher authenticated attacker to inject persistent JavaScript that executes in administrator browsers.
Why it matters
weDocs markets an AI chatbot feature powered by LLMs for customer-facing WordPress sites. Stored XSS exploitable by Contributor-level users (a common role in editorial workflows) can lead to administrator session hijacking, site takeover, and manipulation of the embedded AI chatbot's system prompts or connected API keys — potentially redirecting chatbot responses or exfiltrating conversation data.
Attack vector
Authenticated Contributor submits a WordPress block with malicious JavaScript in sectionTitleTag, articleTitleTag, or connectorWidth attributes; payload is stored and executes in any administrator's browser on page view.
Affected systems
weDocs WordPress plugin ≤ 2.3.0
Mitigation
Update weDocs plugin to a version beyond 2.3.0 with the sanitisation fix applied. Reference: https://plugins.trac.wordpress.org/browser/wedocs/tags/2.3.0/assets/build/blocks/Sidebar/render.php