Skip to main content

Betterdocs Ai Documentation Knowledge Base Docs Wikis Faq With Chatbot

2 CVEs product

Monthly

CVE-2026-15104 MEDIUM This Month

SQL Injection in the BetterDocs WordPress plugin (versions up to and including 4.6.0) enables authenticated attackers holding at minimum a custom-level WordPress role to append arbitrary SQL to existing queries via the unsanitized `lang` parameter, extracting sensitive data from the underlying database. The attack surface is restricted to sites where one of five specific multilingual plugins (WPML, Polylang, qTranslate, Weglot, or TranslatePress) is active, as the vulnerable code path is guarded by `Helper::is_multilingual_active()`. No public exploit identified at time of analysis; EPSS data unavailable, and the CVE is not listed in CISA KEV.

WordPress SQLi Betterdocs Ai Documentation Knowledge Base Docs Wikis Faq With Chatbot
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-12157 MEDIUM This Month

Stored Cross-Site Scripting in BetterDocs WordPress plugin (versions ≤4.5.3) allows authenticated contributors to inject persistent malicious scripts via the unescaped blockId attribute of the betterdocs/category-slate-layout Gutenberg block. The injected payload executes in the browser of any visitor who loads the compromised page, enabling session hijacking, credential theft, or admin-level privilege escalation against site operators. No public exploit identified at time of analysis, but the contributor-level authentication threshold makes this accessible on any WordPress site permitting open or shared content authorship.

WordPress XSS Betterdocs Ai Documentation Knowledge Base Docs Wikis Faq With Chatbot
NVD
CVSS 3.1
6.4
EPSS
0.2%
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL Injection in the BetterDocs WordPress plugin (versions up to and including 4.6.0) enables authenticated attackers holding at minimum a custom-level WordPress role to append arbitrary SQL to existing queries via the unsanitized `lang` parameter, extracting sensitive data from the underlying database. The attack surface is restricted to sites where one of five specific multilingual plugins (WPML, Polylang, qTranslate, Weglot, or TranslatePress) is active, as the vulnerable code path is guarded by `Helper::is_multilingual_active()`. No public exploit identified at time of analysis; EPSS data unavailable, and the CVE is not listed in CISA KEV.

WordPress SQLi Betterdocs Ai Documentation Knowledge Base Docs Wikis Faq With Chatbot
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in BetterDocs WordPress plugin (versions ≤4.5.3) allows authenticated contributors to inject persistent malicious scripts via the unescaped blockId attribute of the betterdocs/category-slate-layout Gutenberg block. The injected payload executes in the browser of any visitor who loads the compromised page, enabling session hijacking, credential theft, or admin-level privilege escalation against site operators. No public exploit identified at time of analysis, but the contributor-level authentication threshold makes this accessible on any WordPress site permitting open or shared content authorship.

WordPress XSS Betterdocs Ai Documentation Knowledge Base Docs Wikis Faq With Chatbot
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy