Attack Vectors

CVE-2026-24990 affects the WP Docs WordPress plugin (slug: wp-docs) in versions 2.2.8 and earlier and is rated Medium severity (CVSS 4.3).

The primary risk comes from authenticated access: an attacker who can log in with a low-privilege account—such as a Subscriber—may be able to trigger an unauthorized action without needing user interaction (CVSS notes UI:N) and without advanced conditions (CVSS notes AC:L).

In practical business terms, this means the attack path often starts with compromised or abused credentials (e.g., password reuse, shared accounts, or users who should not have accounts but do), followed by misuse of the plugin’s exposed functionality.

Security Weakness

The root issue is a missing authorization (capability) check on a function in WP Docs up to version 2.2.8. In WordPress terms, capability checks are the guardrails that ensure only the right roles can perform sensitive actions.

Because that check is missing, a user who is authenticated but should not have the authority (including Subscriber-level and above) may be able to perform an action the plugin did not intend them to perform. The published CVSS vector indicates Integrity impact is Low (I:L) with No confidentiality (C:N) and No availability (A:N) impact reported.

Remediation: Update WP Docs to 2.2.9 or a newer patched version to address this authorization gap.

Technical or Business Impacts

For leadership and compliance stakeholders, the key concern is that this vulnerability can enable unauthorized changes initiated by accounts that appear “legitimate” in logs (because the attacker is logged in). Even a low-impact integrity issue can create outsized business risk when it affects public-facing pages, brand messaging, or internal documentation.

Business impacts may include: website content changes that undermine brand trust, misstatements that create legal or regulatory exposure, operational distraction during incident response, and increased scrutiny from auditors if access controls are shown to be ineffective.

Because the attack requires an authenticated account (PR:L), risk is highest for organizations with: many user accounts, weak account lifecycle management, shared credentials, or high exposure to credential stuffing. From a governance perspective, this is a reminder that “Subscriber” does not always mean “low risk” when plugins expose privileged actions.

Similar Attacks

Authorization and access-control weaknesses are a common real-world cause of content tampering and administrative misuse. Examples include:

CVE-2021-44223 (WooCommerce) — Improper authorization leading to privilege-related risk

CVE-2020-25213 (WordPress core) — Privilege/access-control issue affecting authenticated behavior

OWASP Top 10: Broken Access Control — why missing checks become business incidents