WordPress Plugin Vulnerabilities

BetterDocs < 4.3.4 - Authenticated (Contributor+) Sensitive Information Exposure

Description

The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive data including the OpenAI API key stored in plugin settings.

Affects Plugins

Plugin icon
betterdocs
Fixed in 4.3.4

References

CVE
CVE-2025-14980
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1595f231-d300-484a-a0e1-1e2bc7b82ed3

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Verified
No
WPVDB ID
d0533954-4449-4214-9ef5-245eb63f4882

Timeline

Publicly Published
2026-01-08 (about 4 months ago)
Added
2026-01-08 (about 4 months ago)
Last Updated
2026-01-09 (about 4 months ago)

Other

Published
Title
Published
2024-06-04
Title
LearnPress – WordPress LMS Plugin < 4.2.6.8.1 - Basic Information Disclosure via JSON API
Published
2024-12-16
Title
PPWP – Password Protect Pages < 1.9.6 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Published
2024-03-26
Title
WholesaleX < 1.3.2 - Sensitive Information Exposure via export_users
Published
2025-07-29
Title
Atarim < 4.2.2 - Unauthenticated Information Exposure
Published
2025-02-28
Title
GenerateBlocks < 2.0.0 - Authenticated (Contributor+) Sensitive Information Exposure via 'get_image_description'