CVE-2026-7515
Received Received - Intake
Local File Inclusion in BetterDocs Pro WordPress Plugin

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: Wordfence

Description
The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style` parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-7515
EUVD
EUVD-2026-37992
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wpdeveloper betterdocs to 3.8.0 (inc)
wpdeveloper betterdocs to 4.3.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The BetterDocs Pro plugin for WordPress has a Local File Inclusion vulnerability in versions up to and including 3.8.0. This vulnerability exists via the `doc_style` parameter, which allows unauthenticated attackers to include and execute arbitrary .php files on the server.

By exploiting this vulnerability, attackers can run any PHP code contained in those files, potentially bypassing access controls and gaining unauthorized access to sensitive data or executing malicious code.

Impact Analysis

This vulnerability can have severe impacts including unauthorized code execution on the server hosting the WordPress site.

  • Attackers can bypass access controls.
  • Sensitive data stored on the server can be accessed or stolen.
  • Malicious PHP code can be executed, potentially leading to full server compromise.
Mitigation Strategies

To mitigate the Local File Inclusion vulnerability in the BetterDocs Pro plugin for WordPress (versions up to and including 3.8.0), you should immediately update the plugin to a version later than 3.8.0 where the vulnerability is fixed.

Additionally, restrict or monitor uploads of .php files to prevent attackers from uploading malicious files that could be included and executed via the vulnerable parameter.

Implement access controls and security measures such as web application firewalls (WAF) to detect and block attempts to exploit the `doc_style` parameter.

Compliance Impact

The vulnerability in the BetterDocs Pro plugin allows unauthenticated attackers to execute arbitrary PHP code on the server, potentially bypassing access controls and obtaining sensitive data.

Such unauthorized access and potential data exposure could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect sensitive personal and health information.

However, the provided information does not explicitly mention the impact on compliance with these or other standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7515. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart