The vulnerability identified as CVE-2025-14574 affects the weDocs plugin for WordPress, a tool designed to provide AI-powered knowledge bases, documentation, wikis, and chatbots. The flaw exists in all versions up to and including 2.1.15 and involves the exposure of sensitive information through the REST API endpoint /wp-json/wp/v2/docs/settings. This endpoint improperly discloses configuration data, including API keys for third-party services, without requiring any authentication or user interaction. The weakness is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. The vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), which increases its risk profile. However, the impact is limited to confidentiality loss (C:L) without affecting integrity or availability. No patches were linked at the time of reporting, and no active exploits have been observed in the wild. The vulnerability was reserved in December 2025 and published in January 2026, with a CVSS v3.1 score of 5.3, indicating medium severity. The exposure of API keys can lead to unauthorized access to integrated third-party services, potentially enabling further attacks or data exfiltration beyond the WordPress environment.

Organizations using the weDocs plugin on WordPress sites are at risk of unauthorized disclosure of sensitive configuration data, including API keys for third-party services. This can lead to unauthorized access to external services, data breaches, or abuse of those services, potentially resulting in financial loss, reputational damage, and compliance violations. Since the vulnerability requires no authentication and can be exploited remotely, attackers can easily harvest sensitive information from vulnerable sites. The impact is primarily on confidentiality; however, the compromised API keys could be leveraged for broader attacks, including privilege escalation or lateral movement within an organization's infrastructure. The lack of integrity or availability impact reduces the immediate operational risk but does not diminish the potential for significant indirect consequences. Organizations relying on third-party integrations exposed via these API keys are particularly vulnerable. The absence of known exploits in the wild suggests a window for proactive mitigation before widespread exploitation occurs.

1. Immediately monitor for updates from the wedevs team and apply patches promptly once available to fix the vulnerability. 2. Until a patch is released, restrict access to the /wp-json/wp/v2/docs/settings REST API endpoint by implementing web application firewall (WAF) rules or server-level access controls to block unauthenticated requests. 3. Review and rotate any third-party API keys that may have been exposed to limit potential misuse. 4. Limit the permissions and scope of third-party API keys to minimize damage if compromised. 5. Conduct regular security audits of WordPress plugins and their configurations to identify and remediate similar exposures. 6. Employ monitoring and alerting for unusual API usage patterns that could indicate exploitation attempts. 7. Educate site administrators on the risks of exposing sensitive configuration data and the importance of timely updates. 8. Consider isolating critical API keys and secrets from publicly accessible configurations or endpoints where possible.