Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
PR:L confirmed by contributor-level requirement; S:C because injected script executes in victim browser context; A:N as no availability impact applies.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The BetterDocs - Knowledge Base Docs & FAQ Solution for Elementor & Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the blockId attribute of the betterdocs/category-slate-layout Gutenberg block in versions up to, and including, 4.5.3. This is due to insufficient input sanitization and output escaping in the CategorySlateLayout::render() method, which echoes the blockId block attribute directly into an HTML class attribute without esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in BetterDocs WordPress plugin (versions ≤4.5.3) allows authenticated contributors to inject persistent malicious scripts via the unescaped blockId attribute of the betterdocs/category-slate-layout Gutenberg block. The injected payload executes in the browser of any visitor who loads the compromised page, enabling session hijacking, credential theft, or admin-level privilege escalation against site operators. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress account with at minimum contributor-level privileges, as this is the lowest role permitted to create and publish Gutenberg block content via the block editor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.4 score is driven primarily by the Scope:Changed metric (S:C), reflecting that injected JavaScript executes in the victim's browser - a separate security context from the WordPress server. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or registered a contributor-level WordPress account navigates to the block editor, inserts a betterdocs/category-slate-layout block, and sets the blockId attribute to a crafted value such as ' onmouseover=alert(document.cookie) x=' that escapes the HTML class attribute context and injects executable JavaScript. Once the page is published, every subsequent visitor - including site administrators - triggers the script on page load, enabling the attacker to exfiltrate session cookies, forge admin actions, or redirect users to phishing pages. … |
| Remediation | An upstream fix is available via WordPress plugin SVN changeset 3576713 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3576713%40betterdocs&new=3576713%40betterdocs), which addresses the missing esc_attr() call in CategorySlateLayout::render(). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37982
GHSA-hcf9-p628-6437