BetterDocs Pro < 3.8.1 – Unauthenticated Local File Inclusion via doc_style | CVE 2026-7515 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Local File Inclusion via the `doc_style` parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

Affects Plugins

Fixed in 3.8.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/694b67d2-7d60-4764-a2c0-02698c331772

Classification

Type

RFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Ngoc Duc (duc193)

Verified

Yes

WPVDB ID

9ff9506f-ff0d-4256-8d04-e0b47d8c9c23

Timeline

Publicly Published

2026-06-18 (about 2 days ago)

Added

2026-06-18 (about 2 days ago)

Last Updated

2026-06-19 (about 20 hours ago)

Other

Published

Title

Published

2014-08-01

Title

Simple Fields 0.3.5 - Remote File Inclusion

Published

2026-04-08

Title

Getaway < 1.8 - Unauthenticated Local File Inclusion

Published

2025-07-30

Title

SmilePure < 1.8.5 - Unauthenticated Local File Inclusion

Published

2025-10-16

Title

Houzez Theme - Functionality < 4.2.0 - Authenticated (Contributor+) Local File Inclusion

Published

2025-09-17

Title

Leblix < 2.5 - Unauthenticated Local File Inclusion