Betterdocs
Monthly
Stored cross-site scripting via prompt injection in the BetterDocs WordPress plugin (versions 4.0.0 through 4.5.5) allows unauthenticated attackers to permanently implant malicious JavaScript into documentation pages by manipulating the plugin's AI-generated summary feature. Because the AI output is stored unsanitized and the generation endpoint requires no authentication, an attacker can craft adversarial prompts that cause the AI to produce and persist executable script payloads - payloads that then fire in the browser of every subsequent visitor, including WordPress administrators. A publicly available exploit exists via WPScan; no active exploitation confirmed in CISA KEV at time of analysis.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPDeveloper BetterDocs betterdocs allows Retrieve Embedded Sensitive Data.This issue affects BetterDocs: from n/a through <= 4.3.10.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPDeveloper BetterDocs allows PHP Local File Inclusion.5.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPDeveloper BetterDocs allows Stored XSS.5.8. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in WPDeveloper BetterDocs.3.3. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 11.8% and no vendor patch available.
Stored cross-site scripting via prompt injection in the BetterDocs WordPress plugin (versions 4.0.0 through 4.5.5) allows unauthenticated attackers to permanently implant malicious JavaScript into documentation pages by manipulating the plugin's AI-generated summary feature. Because the AI output is stored unsanitized and the generation endpoint requires no authentication, an attacker can craft adversarial prompts that cause the AI to produce and persist executable script payloads - payloads that then fire in the browser of every subsequent visitor, including WordPress administrators. A publicly available exploit exists via WPScan; no active exploitation confirmed in CISA KEV at time of analysis.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPDeveloper BetterDocs betterdocs allows Retrieve Embedded Sensitive Data.This issue affects BetterDocs: from n/a through <= 4.3.10.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPDeveloper BetterDocs allows PHP Local File Inclusion.5.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPDeveloper BetterDocs allows Stored XSS.5.8. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in WPDeveloper BetterDocs.3.3. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 11.8% and no vendor patch available.