Description
The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive data including the OpenAI API key stored in plugin settings.
Published: 2026-01-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Upgrade
AI Analysis

Impact

The BetterDocs WordPress plugin is vulnerable in all releases up to 4.3.3 via the scripts() function. An authenticated attacker with contributor or higher privileges can read plugin settings, including the OpenAI API key. This allows the attacker to gain access to proprietary credentials and potentially use the key for unauthorized API calls, leading to data leakage and misuse of accounts.

Affected Systems

WordPress sites that have installed the BetterDocs plugin from wpdevteam up to and including version 4.3.3 are affected. All users of the plugin within those versions who have contributor-level or higher permissions can exploit the flaw.

Risk and Exploitability

The CVSS score of 6.5 ranks this vulnerability as moderate severity, and the EPSS score of less than 1% indicates a low probability of exploitation at this time. It is not listed in the CISA KEV catalog. Attackers require only authenticated access at the contributor level, a role commonly granted to content editors, which makes the attack vector relatively straightforward for insiders or compromised accounts, but the low EPSS suggests active exploitation has not been observed.

Generated by OpenCVE AI on April 22, 2026 at 15:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the BetterDocs plugin to version 4.3.4 or newer where the scripts() function is secured.
  • If an upgrade cannot be performed immediately, deactivate or uninstall the plugin to deny any extraction of sensitive data.
  • After the upgrade, remove the exposed OpenAI API key from the plugin settings and generate a new key to prevent reuse of compromised credentials.

Generated by OpenCVE AI on April 22, 2026 at 15:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdevteam
Wpdevteam betterdocs
Vendors & Products Wordpress
Wordpress wordpress
Wpdevteam
Wpdevteam betterdocs

Fri, 09 Jan 2026 06:45:00 +0000

Type Values Removed Values Added
Description The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive data including the OpenAI API key stored in plugin settings.
Title BetterDocs <= 4.3.3 - Authenticated (Contributor+) Sensitive Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpdevteam Betterdocs
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:59.020Z

Reserved: 2025-12-19T16:27:14.224Z

Link: CVE-2025-14980

cve-icon Vulnrichment

Updated: 2026-01-09T18:24:34.900Z

cve-icon NVD

Status : Deferred

Published: 2026-01-09T07:16:01.913

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14980

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:00:12Z

Weaknesses