CVE-2025-14980 affects BetterDocs and it exposes a high value secret through a surprisingly common WordPress anti pattern. The plugin places an OpenAI API key into a JavaScript object that is printed in the admin area, and that admin screen is reachable by Contributor level users. This means a user who is not trusted to manage integrations can still read the key simply by opening the BetterDocs dashboard and inspecting the page source or DevTools network responses. The immediate consequence is that a low privilege account can obtain a reusable external credential that is valid outside WordPress, which changes the risk from a local dashboard information leak into a broader third party account abuse scenario.
| CVE | CVE-2025-14980 |
| Plugin Version | BetterDocs <= 4.3.3 |
| All Time | 2 322 482 |
| Active installations | 50 000+ |
| Publicly Published | January 8, 2026 |
| Last Updated | January 8, 2026 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14980 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/betterdocs/betterdocs-433-authenticated-contributor-sensitive-information-exposure https://t.me/cleantalk_researches/381 |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| December 18, 2025 | Plugin testing and vulnerability detection in the BetterDocs have been completed |
| November 18, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 8, 2026 | Registered CVE-2025-14980 |
Discovery of the Vulnerability
The vulnerability arises from admin script localization, where PHP embeds configuration values into JavaScript to make them available to the front end code. This is a normal WordPress development technique, but it becomes a security flaw when sensitive values are included and the page is accessible to roles that are not authorized to see those secrets. In this case the value is exposed under a variable like ai_autowrite_api_key on the BetterDocs dashboard page. The discovery is practical and reproducible. Log in as a Contributor, open the BetterDocs dashboard, and then inspect the localized script payload. If the key is present, the plugin has effectively downgraded a server side secret into client side data visible to anyone who can view that admin screen.
Understanding of Sensitive Data Exposure attack’s
This class of vulnerability is a recurring source of third party credential leaks in WordPress. Plugins often store API keys in the options table and then pass them into JavaScript for convenience, for example to power preview features or AI helpers inside Gutenberg or Elementor style UIs. The mistake is treating an API key like a display setting. An OpenAI key is not just an internal configuration value. It is a bearer credential that can be used from anywhere on the internet, and it often maps directly to billing and usage limits. Once leaked, an attacker can use it to run prompts, burn tokens, and potentially exhaust quotas, which can cause billing abuse and service disruption for legitimate users. Similar real world patterns have been seen with Google Maps keys, SMTP credentials, and social media tokens, where what looks like a harmless UI convenience becomes a serious incident because the credential is portable and long lived.
Exploiting the Sensitive Data Exposure Vulnerability
To exploit CVE-2025-14980, an attacker with Contributor+ any cookies:
POC:
Go to http://127.0.0.1/wordpress/wp-admin/admin.php?page=betterdocs-dashboard from Contributor+ Try to find ai_autowrite_api_key____
The primary impact is confidentiality loss of a third party credential with direct financial and operational consequences. An attacker can use the OpenAI API key to generate content, run large prompts, and drain the billing account or hit rate limits, causing the site’s AI features to fail for legitimate staff. If the site uses the key for automated doc generation, the attacker can also indirectly harm editorial workflows by consuming quota at the wrong time. On teams where Contributor accounts are common, the risk becomes an insider abuse and account compromise accelerator. A compromised Contributor account is often considered low severity, but with this bug it becomes a gateway to external abuse, which increases the blast radius significantly. The bigger the organization, the more likely the same OpenAI account is used across multiple sites or environments, so a single WordPress leak can translate into a broader cross project incident.
Recommendations for Improved Security
The fix is to treat API keys as secrets that must never be sent to the browser. BetterDocs should stop localizing the OpenAI key into admin scripts and should instead proxy any AI functionality through server side endpoints that perform the necessary calls without exposing the credential. If a client side feature needs to know whether AI is enabled, it should receive only a boolean flag, never the key itself. Access to the BetterDocs dashboard should be restricted to roles that truly need it, and the plugin should enforce capability checks server side for every admin page and AJAX endpoint. For site owners, if exposure is suspected, rotate the OpenAI API key immediately, audit usage for unexpected spikes, and review WordPress role assignments to ensure Contributors cannot access administrative plugin dashboards unless required.
By taking proactive measures to address CSRF like CVE-2025-14980 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #SensitiveDataExposure #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.