CVE-2026-24990
Description
Missing Authorization vulnerability in Fahad Mahmood WP Docs wp-docs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Docs: from n/a through <= 2.2.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in WP Docs plugin <=2.2.8 allows unauthenticated attackers to exploit incorrectly configured access controls.
Vulnerability
Overview
The WP Docs plugin for WordPress, versions 2.2.8 and earlier contains a missing authorization vulnerability [1]. This flaw stems from incorrectly configured access control security levels, allowing unprivileged users to execute actions that should require higher privileges [1].
Exploitation
An attacker with any authenticated role can exploit this broken access control checks that are missing or improperly implemented [1]. The attack does not require special network position or complex prerequisites beyond having a WordPress user account on the target site [1].
Impact
Successful exploitation enables an attacker to perform unauthorized actions, potentially accessing or modifying documents that should be restricted [1]. This can lead to data exposure or content manipulation, depending on the specific missing authorization [1].
Mitigation
The vendor has released version 2.2.9 which resolves the issue [1]. Users are strongly advised to update immediately. If unable to update, consult your hosting provider or web developer for assistance [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=2.2.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 13, 2026 to April 19, 2026)Wordfence Blog · Apr 23, 2026