{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6393", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-15T20:07:58.184Z", "datePublished": "2026-04-24T03:27:05.541Z", "dateUpdated": "2026-04-24T10:46:24.083Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-24T03:27:05.541Z"}, "affected": [{"vendor": "wpdevteam", "product": "BetterDocs \u2013 Knowledge Base Docs & FAQ Solution for Elementor & Block Editor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.3.11", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai_content_callback() function, which relies solely on a nonce rather than verifying user permissions. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger OpenAI API calls using the site's configured API key with arbitrary user-controlled prompts, leading to unauthorized consumption of the site owner's paid AI API quota."}], "title": "BetterDocs <= 4.3.11 - Missing Authorization to Authenticated (Subscriber+) Unauthorized AI API Usage", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/432b11be-174d-45d6-aa3b-2fbfa85ec17a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/betterdocs/trunk/includes/Core/WriteWithAI.php#L138"}, {"url": "https://plugins.trac.wordpress.org/browser/betterdocs/tags/4.3.6/includes/Core/WriteWithAI.php#L138"}, {"url": "https://plugins.trac.wordpress.org/browser/betterdocs/trunk/includes/Core/WriteWithAI.php#L31"}, {"url": "https://plugins.trac.wordpress.org/browser/betterdocs/tags/4.3.6/includes/Core/WriteWithAI.php#L31"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3512640%40betterdocs&new=3512640%40betterdocs&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ph\u00fa"}], "timeline": [{"time": "2026-04-15T20:23:25.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-23T14:45:35.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T10:46:06.950400Z", "id": "CVE-2026-6393", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T10:46:24.083Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai_content_callback() function, which relies solely on a nonce rather than verifying user permissions. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger OpenAI API calls using the site's configured API key with arbitrary user-controlled prompts, leading to unauthorized consumption of the site owner's paid AI API quota."}], "id": "CVE-2026-6393", "lastModified": "2026-04-24T14:38:26.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-24T04:16:22.607", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/betterdocs/tags/4.3.6/includes/Core/WriteWithAI.php#L138"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/betterdocs/tags/4.3.6/includes/Core/WriteWithAI.php#L31"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/betterdocs/trunk/includes/Core/WriteWithAI.php#L138"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/betterdocs/trunk/includes/Core/WriteWithAI.php#L31"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3512640%40betterdocs&new=3512640%40betterdocs&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/432b11be-174d-45d6-aa3b-2fbfa85ec17a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.3.11]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "BetterDocs \u2013 Knowledge Base Docs & FAQ Solution for Elementor & Block Editor", "source": "cna", "vendor": "wpdevteam"}, "product": "betterdocs_\u2013__knowledge_base_docs_&_faq_solution_for_elementor_&_block_editor", "vendor": "wpdevteam"}], "analysis": {"en": {"generated_at": "2026-04-28T14:25:14.340574+00:00", "value": {"mitigation_remediation": ["Upgrade the BetterDocs plugin to version 4.3.12 or newer, where the missing capability check has been added.", "If an upgrade is impossible in the short term, disable the \"Write With AI\" feature or remove the plugin\u2019s AI generation code from the site\u2019s source files.", "Revoke or rotate the OpenAI API key stored in the plugin\u2019s settings to prevent further use by malicious requests.", "Continuously monitor the site's OpenAI API usage logs for unexpected or inflated request volumes."], "summary": {"action": "Upgrade Plugin", "impact": "Unauthorized Consumption of Paid AI Credit"}, "threat_synthesis": {"affected_systems": "Any WordPress site running the BetterDocs Knowledge Base plugin version 4.3.11 or earlier, including the 4.3.6 tag referenced in the code review. The vulnerability is present in the generate_openai_content_callback() function in the Core/WriteWithAI.php file.", "description_and_impact": "The exploit allows an authenticated user with subscriber-level access or higher to call the OpenAI API through the plugin\u2019s \"Write With AI\" feature without any capability checks. This means the attacker can submit arbitrary prompts, causing the site\u2019s stored OpenAI key to be used and charged. The consequence is unauthorized financial expense and potential exposure of content the site owner did not intend to share with the AI service. The weakness is a missing access control, classed as CWE\u2011862.", "risk_and_exploitability": "The CVSS score is 4.3, indicating moderate severity. The EPSS score is below 1\u202f%, suggesting the current exploitation likelihood is low, and the vulnerability is not listed in the CISA KEV catalog. However, once a site has a valid OpenAI key and an authenticated subscriber account, the attacker can trivially trigger consumption by accessing the corresponding AJAX endpoint. The attack vector is expected to be via the normal WordPress admin interface or API calls that present a valid nonce but do not enforce capability checks."}}}}, "created": "2026-04-27T23:00:12.517784+00:00", "updated": "2026-04-28T14:30:33.763575+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpdevteam", "wpdevteam$PRODUCT$betterdocs_\u2013__knowledge_base_docs_&_faq_solution_for_elementor_&_block_editor"]}