{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14980", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-19T16:27:14.224Z", "datePublished": "2026-01-09T06:34:52.906Z", "dateUpdated": "2026-04-08T16:36:59.020Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:59.020Z"}, "affected": [{"vendor": "wpdevteam", "product": "BetterDocs \u2013 Knowledge Base Docs & FAQ Solution for Elementor & Block Editor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.3.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive data including the OpenAI API key stored in plugin settings."}], "title": "BetterDocs <= 4.3.3 - Authenticated (Contributor+) Sensitive Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1595f231-d300-484a-a0e1-1e2bc7b82ed3?source=cve"}, {"url": "https://research.cleantalk.org/cve-2025-14980/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3430424%40betterdocs%2Ftags%2F4.3.4&old=3422660%40betterdocs%2Ftrunk"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2025-12-18T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-12-19T16:46:46.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-08T17:52:33.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-09T18:24:31.739287Z", "id": "CVE-2025-14980", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T18:24:39.427Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14980", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-09T18:24:31.739287Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T18:24:34.900Z"}}], "cna": {"title": "BetterDocs <= 4.3.3 - Authenticated (Contributor+) Sensitive Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "wpdevteam", "product": "BetterDocs \u2013 Knowledge Base Docs & FAQ Solution for Elementor & Block Editor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.3.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-18T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-12-19T16:46:46.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-08T17:52:33.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1595f231-d300-484a-a0e1-1e2bc7b82ed3?source=cve"}, {"url": "https://research.cleantalk.org/cve-2025-14980/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3430424%40betterdocs%2Ftags%2F4.3.4&old=3422660%40betterdocs%2Ftrunk"}], "descriptions": [{"lang": "en", "value": "The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive data including the OpenAI API key stored in plugin settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:59.020Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14980", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:36:59.020Z", "dateReserved": "2025-12-19T16:27:14.224Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-09T06:34:52.906Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive data including the OpenAI API key stored in plugin settings."}, {"lang": "es", "value": "El plugin BetterDocs para WordPress es vulnerable a la Exposici\u00f3n de Informaci\u00f3n Sensible en todas las versiones hasta la 4.3.3, inclusive, a trav\u00e9s de la funci\u00f3n scripts(). Esto permite a atacantes autenticados, con acceso de nivel de colaborador o superior, extraer datos sensibles, incluyendo la clave API de OpenAI almacenada en la configuraci\u00f3n del plugin."}], "id": "CVE-2025-14980", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-09T07:16:01.913", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3430424%40betterdocs%2Ftags%2F4.3.4&old=3422660%40betterdocs%2Ftrunk"}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2025-14980/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1595f231-d300-484a-a0e1-1e2bc7b82ed3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T15:45:59.769111+00:00", "value": {"mitigation_remediation": ["Update the BetterDocs plugin to version 4.3.4 or newer where the scripts() function is secured.", "If an upgrade cannot be performed immediately, deactivate or uninstall the plugin to deny any extraction of sensitive data.", "After the upgrade, remove the exposed OpenAI API key from the plugin settings and generate a new key to prevent reuse of compromised credentials."], "summary": {"action": "Upgrade", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the BetterDocs plugin from wpdevteam up to and including version 4.3.3 are affected. All users of the plugin within those versions who have contributor-level or higher permissions can exploit the flaw.", "description_and_impact": "The BetterDocs WordPress plugin is vulnerable in all releases up to 4.3.3 via the scripts() function. An authenticated attacker with contributor or higher privileges can read plugin settings, including the OpenAI API key. This allows the attacker to gain access to proprietary credentials and potentially use the key for unauthorized API calls, leading to data leakage and misuse of accounts.", "risk_and_exploitability": "The CVSS score of 6.5 ranks this vulnerability as moderate severity, and the EPSS score of less than 1% indicates a low probability of exploitation at this time. It is not listed in the CISA KEV catalog. Attackers require only authenticated access at the contributor level, a role commonly granted to content editors, which makes the attack vector relatively straightforward for insiders or compromised accounts, but the low EPSS suggests active exploitation has not been observed."}}}}, "created": "2026-01-09T13:23:46.935476+00:00", "updated": "2026-04-22T16:00:12.087556+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpdevteam", "wpdevteam$PRODUCT$betterdocs"]}