What happened
CVE-2026-12729 (CVSS 4.3 Medium, published 2026-07-03) affects the weDocs WordPress plugin through version 2.3.0. The do_migration() function, registered as the wedocs_migrate_betterdocs_to_wedocs AJAX action, lacks a capability check, allowing any authenticated WordPress user (including Subscriber-level) to trigger data migration operations.
Why it matters
While lower severity, missing authorization on a migration endpoint in an AI chatbot plugin can allow low-privileged users to trigger disruptive data operations on the knowledge base that feeds the AI chatbot — potentially corrupting the RAG/knowledge source or triggering unintended data movement that exposes content to wrong contexts.
Attack vector
Any authenticated WordPress user calls the wedocs_migrate_betterdocs_to_wedocs AJAX action; server performs migration without verifying user privileges.
Affected systems
weDocs WordPress plugin ≤ 2.3.0
Mitigation
Update weDocs plugin beyond version 2.3.0. Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-12729