Skip to main content

Betterdocs

5 CVEs product

Monthly

CVE-2026-11371 MEDIUM POC PATCH This Month

Stored cross-site scripting via prompt injection in the BetterDocs WordPress plugin (versions 4.0.0 through 4.5.5) allows unauthenticated attackers to permanently implant malicious JavaScript into documentation pages by manipulating the plugin's AI-generated summary feature. Because the AI output is stored unsanitized and the generation endpoint requires no authentication, an attacker can craft adversarial prompts that cause the AI to produce and persist executable script payloads - payloads that then fire in the browser of every subsequent visitor, including WordPress administrators. A publicly available exploit exists via WPScan; no active exploitation confirmed in CISA KEV at time of analysis.

WordPress XSS Betterdocs
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-42644 MEDIUM This Month

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPDeveloper BetterDocs betterdocs allows Retrieve Embedded Sensitive Data.This issue affects BetterDocs: from n/a through <= 4.3.10.

Information Disclosure Betterdocs
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2024-43129 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPDeveloper BetterDocs allows PHP Local File Inclusion.5.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal PHP Betterdocs
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-43227 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPDeveloper BetterDocs allows Stored XSS.5.8. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Betterdocs
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-30226 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in WPDeveloper BetterDocs.3.3. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 11.8% and no vendor patch available.

Deserialization Betterdocs
NVD
CVSS 3.1
9.0
EPSS
11.8%
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Stored cross-site scripting via prompt injection in the BetterDocs WordPress plugin (versions 4.0.0 through 4.5.5) allows unauthenticated attackers to permanently implant malicious JavaScript into documentation pages by manipulating the plugin's AI-generated summary feature. Because the AI output is stored unsanitized and the generation endpoint requires no authentication, an attacker can craft adversarial prompts that cause the AI to produce and persist executable script payloads - payloads that then fire in the browser of every subsequent visitor, including WordPress administrators. A publicly available exploit exists via WPScan; no active exploitation confirmed in CISA KEV at time of analysis.

WordPress XSS Betterdocs
NVD WPScan
EPSS 0% CVSS 5.3
MEDIUM This Month

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPDeveloper BetterDocs betterdocs allows Retrieve Embedded Sensitive Data.This issue affects BetterDocs: from n/a through <= 4.3.10.

Information Disclosure Betterdocs
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPDeveloper BetterDocs allows PHP Local File Inclusion.5.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal PHP Betterdocs
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPDeveloper BetterDocs allows Stored XSS.5.8. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Betterdocs
NVD
EPSS 12% CVSS 9.0
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in WPDeveloper BetterDocs.3.3. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 11.8% and no vendor patch available.

Deserialization Betterdocs
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy