PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12731 wedevs CVE debrief

The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'sectionTitleTag' and 'articleTitleTag' Block Attributes in all versions up to, and including, 2.3.0. This vulnerability is caused by insufficient input sanitization and output escaping, allowing authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages. These scripts will execute when a user accesses an injected page, potentially leading to unauthorized actions or data breaches. Users of the weDocs plugin for WordPress, particularly those with contributor-level access and above, should be aware of this vulnerability and take steps to mitigate it by updating the plugin and implementing additional security measures.

Vendor
wedevs
Product
weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-03
Original CVE updated
2026-07-07
Advisory published
2026-07-03
Advisory updated
2026-07-07

Who should care

Users of the weDocs plugin for WordPress, particularly those with contributor-level access and above, should be aware of this vulnerability and take steps to mitigate it. This includes updating the plugin to a version that addresses this vulnerability and implementing additional security measures such as Content Security Policy (CSP) to mitigate XSS attacks. Site administrators and security teams should review the affected plugin versions and plan for updates or mitigations through normal change control.

Technical summary

The weDocs plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) attacks. This vulnerability exists in all versions up to and including 2.3.0 and is caused by insufficient input sanitization and output escaping in the 'sectionTitleTag' and 'articleTitleTag' Block Attributes. An authenticated attacker with contributor-level access and above can inject arbitrary web scripts into pages, which will execute when a user accesses an injected page. This could lead to unauthorized actions or data breaches if not properly mitigated.

Defensive priority

Medium priority due to the CVSS score of 6.4 and the potential for authenticated attackers to inject malicious scripts.

Recommended defensive actions

  • Update the weDocs plugin to a version that addresses this vulnerability.
  • Implement additional security measures such as Content Security Policy (CSP) to mitigate XSS attacks.
  • Monitor for suspicious activity and ensure that all users with contributor-level access and above are aware of this vulnerability.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record was published on 2026-07-03T02:16:23.100Z and was last modified on 2026-07-07T18:16:34.263Z. The NVD entry is currently Deferred. The weDocs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'sectionTitleTag' and 'articleTitleTag' Block Attributes in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages, which will execute when a user accesses an injected page. Evidence limits suggest verifying the plugin version and ensuring proper input sanitization.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-03T02:16:23.100Z and has not been modified since then. The NVD entry is currently Deferred.