cleantalk
Vulnerabilities and Security Researches

BetterDocs – Best Documentation, FAQ & Knowledge Base Plugin with AI Support, CVE-2026-6393

CVE, Research URL

CVE-2026-6393

Home page URL

Security reports for BetterDocs – Best Documentation, FAQ & Knowledge Base Plugin with AI Support

Application

BetterDocs – Best Documentation, FAQ & Knowledge Base Plugin with AI Support

Published on
Apr 24, 2026
Research Description
The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai_content_callback() function, which relies solely on a nonce rather than verifying user permissions. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger OpenAI API calls using the site's configured API key with arbitrary user-controlled prompts, leading to unauthorized consumption of the site owner's paid AI API quota.
Affected versions
max 4.3.12.
Status
vulnerable
Previous vulnerability researches
Add User Meta (CVE-2025-7688) , Aug 17, 2025
Simple User Meta Editor (CVE-2025-14888) , Jan 11, 2026
User Meta – User Profile Builder and User management plugin (CVE-2025-9693) , Apr 24, 2026
User Meta – User Profile Builder and User management plugin (CVE-2024-9262) , Nov 10, 2024
User Meta – User Profile Builder and User management plugin (CVE-2022-0376) , Jun 07, 2024
New vulnerability
Countdown Timer for Elementor (CVE-2025-8445) , Apr 25, 2026
Library Bookshelves (CVE-2025-57964) , Apr 25, 2026
Best WooCommerce Builder for Elementor: Customize Checkout, Shop, Product & More With CoDesigner (CVE-2025-57961) , Apr 25, 2026
Themify Builder (CVE-2025-9353) , Apr 25, 2026
Zoho Flow (CVE-2025-8479) , Apr 25, 2026