Skip to main content

BetterDocs CVE-2026-12157

| EUVDEUVD-2026-37982 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-19 Wordfence GHSA-hcf9-p628-6437
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

PR:L confirmed by contributor-level requirement; S:C because injected script executes in victim browser context; A:N as no availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 19, 2026 - 06:34 vuln.today
CVE Published
Jun 19, 2026 - 04:31 nvd
MEDIUM 6.4

DescriptionCVE.org

The BetterDocs - Knowledge Base Docs & FAQ Solution for Elementor & Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the blockId attribute of the betterdocs/category-slate-layout Gutenberg block in versions up to, and including, 4.5.3. This is due to insufficient input sanitization and output escaping in the CategorySlateLayout::render() method, which echoes the blockId block attribute directly into an HTML class attribute without esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in BetterDocs WordPress plugin (versions ≤4.5.3) allows authenticated contributors to inject persistent malicious scripts via the unescaped blockId attribute of the betterdocs/category-slate-layout Gutenberg block. The injected payload executes in the browser of any visitor who loads the compromised page, enabling session hijacking, credential theft, or admin-level privilege escalation against site operators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or register contributor-level WordPress account
Delivery
Open Gutenberg editor on new or existing page
Exploit
Insert betterdocs/category-slate-layout block
Execution
Set blockId attribute to XSS payload
Persist
Publish poisoned page
Impact
Victim browser loads page and executes injected script

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress account with at minimum contributor-level privileges, as this is the lowest role permitted to create and publish Gutenberg block content via the block editor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.4 score is driven primarily by the Scope:Changed metric (S:C), reflecting that injected JavaScript executes in the victim's browser - a separate security context from the WordPress server. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or registered a contributor-level WordPress account navigates to the block editor, inserts a betterdocs/category-slate-layout block, and sets the blockId attribute to a crafted value such as ' onmouseover=alert(document.cookie) x=' that escapes the HTML class attribute context and injects executable JavaScript. Once the page is published, every subsequent visitor - including site administrators - triggers the script on page load, enabling the attacker to exfiltrate session cookies, forge admin actions, or redirect users to phishing pages. …
Remediation An upstream fix is available via WordPress plugin SVN changeset 3576713 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3576713%40betterdocs&new=3576713%40betterdocs), which addresses the missing esc_attr() call in CategorySlateLayout::render(). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12157 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy