CVE-2025-31417

The WP Docs plugin for WordPress contains a missing authorization vulnerability (CVE-2025-31417) that affects versions prior to 2.2.7. The issue stems from a broken access control mechanism, where certain functions lack proper authorization checks, nonce tokens, or authentication requirements. This allows an attacker to exploit incorrectly configured access control security levels [1].

Exploitation does not require authentication, making it accessible to any unauthenticated user who can send crafted requests to the WordPress site. The vulnerability is particularly concerning because it can be leveraged in mass-exploit campaigns targeting thousands of websites simultaneously, regardless of their traffic or popularity [1].

An attacker successfully exploiting this flaw can perform actions that should be restricted to higher-privileged users, such as modifying or accessing sensitive data within the WP Docs plugin. The impact is rated as low severity (CVSS 4.3), but the potential for widespread automated attacks increases the risk [1].

The vulnerability has been patched in version 2.2.7 of the plugin. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins to mitigate the risk [1].