The BetterDocs Pro plugin for WordPress contains a local file inclusion flaw in all released versions up to and including 3.8.0. A malicious actor can submit a URL‑encoded value for the 'doc_style' parameter that points to any file on the server and cause the plugin to include and execute that file. Because the failure to sanitize the file path occurs before authentication checks, an unauthenticated attacker can trigger the vulnerability and run arbitrary PHP code. This allows the attacker to bypass WordPress access controls, exfiltrate sensitive data, or fully compromise the hosting server. The flaw is rated CVSS 9.8, indicating critical severity.

The vulnerability affects the BetterDocs Pro WordPress plugin, specifically all deployments using version 3.8.0 or earlier. No other WordPress core components or third‑party plugins are directly impacted by this flaw.

Exploitability is high due to the lack of required authentication; the LFI can be triggered simply by crafting a request to the 'doc_style' parameter. The EPSS score is not available, but the CVSS of 9.8 and absence from CISA KEV lists confirm that the flaw is a severe, potentially exploited vulnerability. An attacker would need write or read access to an arbitrary file on the web root; if PHP files can be uploaded elsewhere on the server, the attacker could first upload a payload and then trigger the LFI to execute it. The access control bypass could allow escalation to a privileged user or compromise of the entire host.