CVE-2026-4348
Deferred Deferred - Pending Action
SQL Injection in BetterDocs Pro WordPress Plugin

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: Wordfence

Description
The BetterDocs Pro plugin for WordPress is vulnerable to SQL Injection via the `get_current_letter_docs` and `docs_sort_by_letter` AJAX actions in all versions up to, and including, 3.7.0. This is due to the `limit` POST parameter being interpolated directly into a SQL query string before being passed to `$wpdb->prepare()`, which only parameterizes other variables. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The Encyclopedia feature must be enabled in BetterDocs Pro settings for the vulnerability to be exploitable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-06-22
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-21
NVD
CVE-2026-4348
EUVD
EUVD-2026-28319
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
wpbeaver betterdocs_pro to 3.7.0 (inc)
wpbeaver betterdocs_pro to 4.3.11 (exc)
wpbeaverbuilder betterdocs_pro to 3.7.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The BetterDocs Pro plugin for WordPress has a SQL Injection vulnerability in versions up to and including 3.7.0. This occurs because the `limit` POST parameter is directly inserted into a SQL query string before being passed to the database prepare function, which only parameterizes other variables. As a result, unauthenticated attackers can append additional SQL queries to extract sensitive information from the database. The vulnerability can only be exploited if the Encyclopedia feature is enabled in the plugin settings.

Compliance Impact

The vulnerability allows unauthenticated attackers to perform SQL Injection attacks that can extract sensitive information from the database.

Exposure of sensitive information through such attacks could potentially lead to non-compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive data.

However, the provided context and resources do not explicitly discuss the impact of this vulnerability on compliance with specific standards or regulations.

Impact Analysis

This vulnerability allows unauthenticated attackers to perform SQL Injection attacks, potentially extracting sensitive information from the database. Since the attack does not require authentication, it poses a significant risk of data exposure. The CVSS score of 7.5 indicates a high severity impact on confidentiality, although it does not affect integrity or availability.

Mitigation Strategies

To mitigate this vulnerability, you should update the BetterDocs Pro plugin to the latest patched version. The vulnerability was fixed in version 4.3.11, released on April 15, 2026.

Additionally, ensure that the Encyclopedia feature in BetterDocs Pro settings is disabled if you cannot immediately update, as the vulnerability requires this feature to be enabled to be exploitable.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4348. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart