Skip to main content

BetterDocs WordPress Plugin EUVD-2026-25394

| CVE-2026-6393 MEDIUM
Missing Authorization (CWE-862)
2026-04-24 Wordfence GHSA-hpvr-gqf8-j82g
WordPress Authentication Bypass Elementor
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 24, 2026 - 04:32 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 04:00 euvd
EUVD-2026-25394
Analysis Generated
Apr 24, 2026 - 04:00 vuln.today
CVE Published
Apr 24, 2026 - 03:27 nvd
MEDIUM 4.3

DescriptionCVE.org

The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai_content_callback() function, which relies solely on a nonce rather than verifying user permissions. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger OpenAI API calls using the site's configured API key with arbitrary user-controlled prompts, leading to unauthorized consumption of the site owner's paid AI API quota.

AnalysisAI

BetterDocs plugin for WordPress versions up to 4.3.11 allows authenticated subscribers and higher to trigger arbitrary OpenAI API calls using the site's configured API key due to missing capability checks in the generate_openai_content_callback() function. An attacker with subscriber-level access can supply arbitrary prompts to exhaust the site owner's paid AI API quota without authorization, resulting in unauthorized financial impact and service degradation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Create or compromise subscriber account
Delivery
Obtain nonce from authenticated session
Exploit
Send request to callback function
Execution
Bypass capability check
Persist
Trigger OpenAI API call
Impact
Exhaust API quota
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to possess a valid WordPress user account with subscriber-level privileges or higher (this includes Author, Editor, and Administrator roles). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.3 reflects low to moderate severity: the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N indicates network accessibility with low complexity, requiring authenticated access (PR:L), but the impact is confined to integrity (I:L) with no confidentiality or availability impact measured by the score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a compromised or legitimate subscriber account (common in multi-author WordPress sites) logs into the WordPress dashboard or sends an authenticated request to the BetterDocs OpenAI callback endpoint. The attacker crafts a request with an arbitrary prompt (e.g., a complex code generation or translation task) and a valid nonce token copied from an admin page. …
Remediation Update the BetterDocs plugin to a version newer than 4.3.11 that includes capability checks in the generate_openai_content_callback() function. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8157 HIGH POC
8.8 Jun 22

The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u
CVE-2026-8089 HIGH POC
7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH POC
7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-4259 HIGH POC
7.1 Jun 22

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outp
CVE-2026-6858 HIGH POC
7.1 Jun 22

The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthen

Share

EUVD-2026-25394 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy