Description
The BetterDocs Pro plugin for WordPress is vulnerable to SQL Injection via the `get_current_letter_docs` and `docs_sort_by_letter` AJAX actions in all versions up to, and including, 3.7.0. This is due to the `limit` POST parameter being interpolated directly into a SQL query string before being passed to `$wpdb->prepare()`, which only parameterizes other variables. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The Encyclopedia feature must be enabled in BetterDocs Pro settings for the vulnerability to be exploitable.
Published: 2026-05-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The BetterDocs Pro plugin for WordPress is vulnerable to SQL injection through the AJAX actions get_current_letter_docs and docs_sort_by_letter. A POST parameter named limit is concatenated directly into a SQL query string before being passed to $wpdb->prepare(), which only parameterizes other variables. An unauthenticated attacker can append additional SQL statements, enabling extraction of sensitive database information. The flaw is only exploitable when the Encyclopedia feature is enabled in the plugin settings.

Affected Systems

The affected product is the BetterDocs Pro plugin for WordPress, versions up to and including 3.7.0. Any WordPress installation that has installed or upgraded to a vulnerable version of this plugin and has the Encyclopedia feature enabled is at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating a high severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Because the flaw requires no authentication and can be triggered through ordinary HTTP POST requests to the AJAX endpoints, an attacker does not need to gain any privileged access. Successful exploitation would allow the attacker to read arbitrary data from the database, potentially exposing sensitive user information.

Generated by OpenCVE AI on May 7, 2026 at 06:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update BetterDocs Pro to a version newer than 3.7.0
  • If an immediate update is not possible, disable the Encyclopedia feature in the plugin settings to remove the attack vector
  • Monitor WordPress and database logs for unexpected SQL activity and consider deploying web‑application firewalls that detect anomalous query patterns

Generated by OpenCVE AI on May 7, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Betterdocs
Betterdocs betterdocs Pro
Wordpress
Wordpress wordpress
Vendors & Products Betterdocs
Betterdocs betterdocs Pro
Wordpress
Wordpress wordpress

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description The BetterDocs Pro plugin for WordPress is vulnerable to SQL Injection via the `get_current_letter_docs` and `docs_sort_by_letter` AJAX actions in all versions up to, and including, 3.7.0. This is due to the `limit` POST parameter being interpolated directly into a SQL query string before being passed to `$wpdb->prepare()`, which only parameterizes other variables. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The Encyclopedia feature must be enabled in BetterDocs Pro settings for the vulnerability to be exploitable.
Title BetterDocs Pro <= 3.7.0 - Unauthenticated SQL Injection via Encyclopedia 'limit' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Betterdocs Betterdocs Pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-07T13:48:52.345Z

Reserved: 2026-03-17T16:48:44.143Z

Link: CVE-2026-4348

cve-icon Vulnrichment

Updated: 2026-05-07T13:48:46.308Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T06:16:05.240

Modified: 2026-05-07T14:00:05.650

Link: CVE-2026-4348

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:25:04Z

Weaknesses