Skip to main content

BetterDocs CVE-2026-15104

| EUVDEUVD-2026-42840 MEDIUM
SQL Injection (CWE-89)
2026-07-10 Wordfence GHSA-6r9x-hjc8-pghq
6.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.3 MEDIUM

Mandatory multilingual plugin dependency is a beyond-attacker-control prerequisite justifying AC:H over vendor-assigned AC:L; PR:L reflects confirmed custom-role authentication requirement.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 10, 2026 - 09:16 vuln.today
CVE Published
Jul 10, 2026 - 07:48 cve.org
MEDIUM 6.5

DescriptionCVE.org

The BetterDocs - AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot plugin for WordPress is vulnerable to generic SQL Injection via the 'lang' parameter in all versions up to, and including, 4.6.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires a supported multilingual plugin (WPML, Polylang, qTranslate, Weglot, or TranslatePress) to be active on the site, as the vulnerable code path is gated by Helper::is_multilingual_active().

AnalysisAI

SQL Injection in the BetterDocs WordPress plugin (versions up to and including 4.6.0) enables authenticated attackers holding at minimum a custom-level WordPress role to append arbitrary SQL to existing queries via the unsanitized lang parameter, extracting sensitive data from the underlying database. The attack surface is restricted to sites where one of five specific multilingual plugins (WPML, Polylang, qTranslate, Weglot, or TranslatePress) is active, as the vulnerable code path is guarded by Helper::is_multilingual_active(). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain custom-level WordPress account
Delivery
Confirm active multilingual plugin on target
Exploit
Craft malicious SQL payload in 'lang' parameter
Execution
Submit authenticated HTTP request to vulnerable BetterDocs endpoint
Persist
Unsanitized input appended to existing SQL query
Impact
Extract sensitive records from WordPress database

Vulnerability AssessmentAI

Exploitation Two simultaneous conditions must be met: (1) The attacker must possess an authenticated WordPress account with at minimum a 'custom'-level role - the CVSS PR:L vector confirms a low-privilege authenticated requirement, ruling out unauthenticated exploitation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD/Wordfence-assigned CVSS 3.1 score of 6.5 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N captures network reachability and high confidentiality impact, but the AC:L designation appears optimistic given the mandatory multilingual-plugin prerequisite - a condition entirely beyond the attacker's control. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a custom-level WordPress account on a target site running BetterDocs ≤4.6.0 and an active multilingual plugin crafts a malicious HTTP request with SQL payload appended to the `lang` parameter. The request reaches the vulnerable query-construction logic in PostType.php, where the unescaped, unprepared parameter allows the injected SQL to execute against the WordPress database, returning sensitive records such as user email addresses, hashed passwords, or private post content. …
Remediation Upstream fix code is available via WordPress plugin trac changeset 3601408 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3601408%40betterdocs&new=3601408%40betterdocs); users should update BetterDocs to the release version that incorporates this changeset as soon as it appears in the WordPress plugin directory. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15104 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy