Description
The BetterDocs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'betterdocs_feedback_form' shortcode in all versions up to, and including, 4.3.8. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-16
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via shortcode attributes
Action: Apply Patch
AI Analysis

Impact

The BetterDocs WordPress plugin contains a stored cross‑site scripting flaw in the 'betterdocs_feedback_form' shortcode. Insufficient sanitization and escaping of user‑supplied shortcode attributes allow attackers to inject arbitrary scripts. Once injected, the malicious code executes whenever an authenticated contributor or higher‐privileged user accesses the page, potentially leading to session hijacking, data theft, or defacement. The weakness is a classic input validation error (CWE‑79).

Affected Systems

BetterDocs plugin for WordPress, versions 4.3.8 and earlier, distributed by wpdevteam. The vulnerability applies to sites that use the feedback form shortcode in any page or post.

Risk and Exploitability

The flaw scores a moderate CVSS 6.4, with no EPSS data and no listing in the CISA KEV catalog, indicating some risk but not a known widespread exploitation. Attack requires authenticated access at the contributor level or higher; the attacker then supplies malicious shortcode attributes. The impact is limited to the contents of the site, but the stored nature means the payload persists until removed or the plugin is upgraded.

Generated by OpenCVE AI on April 16, 2026 at 08:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BetterDocs to version 4.3.9 or later to remove the vulnerable shortcode handling code.
  • If an upgrade is not available, immediately remove or disable the 'betterdocs_feedback_form' shortcode from any content that contributors can edit.
  • Apply a web‑application firewall or content‑security policy rule to block or strip script tags from shortcode attribute values until a patch is applied.

Generated by OpenCVE AI on April 16, 2026 at 08:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdevteam
Wpdevteam betterdocs – Knowledge Base Docs & Faq Solution For Elementor & Block Editor
Vendors & Products Wordpress
Wordpress wordpress
Wpdevteam
Wpdevteam betterdocs – Knowledge Base Docs & Faq Solution For Elementor & Block Editor

Thu, 16 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description The BetterDocs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'betterdocs_feedback_form' shortcode in all versions up to, and including, 4.3.8. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title BetterDocs <= 4.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpdevteam Betterdocs – Knowledge Base Docs & Faq Solution For Elementor & Block Editor
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-16T13:41:59.186Z

Reserved: 2026-03-10T10:33:26.535Z

Link: CVE-2026-3875

cve-icon Vulnrichment

Updated: 2026-04-16T13:41:22.149Z

cve-icon NVD

Status : Received

Published: 2026-04-16T07:16:30.207

Modified: 2026-04-16T07:16:30.207

Link: CVE-2026-3875

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:11:38Z

Weaknesses