BetterDocs <= 4.3.10 - Unauthenticated Information Exposure
Description
The BetterDocs – Knowledge Base Docs & FAQ Solution for Elementor & Block Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.10. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
What Changed in the Fix
Changes introduced in v4.3.11
Source Code
WordPress.org SVN# Research Plan: CVE-2026-42644 - BetterDocs Unauthenticated Information Exposure ## 1. Vulnerability Summary The **BetterDocs** plugin (up to 4.3.10) contains a sensitive information exposure vulnerability. The issue stems from the registration of REST API endpoints that fail to implement proper `…
Show full research plan
Research Plan: CVE-2026-42644 - BetterDocs Unauthenticated Information Exposure
1. Vulnerability Summary
The BetterDocs plugin (up to 4.3.10) contains a sensitive information exposure vulnerability. The issue stems from the registration of REST API endpoints that fail to implement proper permission_callback checks. This allows unauthenticated users to access routes that disclose data such as internal FAQ categories, post metadata, and potentially configuration or user details that should be restricted to authenticated administrators.
2. Attack Vector Analysis
- Endpoint: WordPress REST API under the
betterdocs/v1namespace. - Vulnerable Routes:
/wp-json/betterdocs/v1/faq-categories/wp-json/betterdocs/v1/search
- HTTP Method:
GET - Authentication: None required (Unauthenticated).
- Preconditions: The plugin must be active, and at least one FAQ or Category must exist (even if marked as private/draft).
3. Code Flow
- Initialization: In
includes/Plugin.php, the plugin hooks intorest_api_initvia theapi_initializationmethod. - Registration: The
WPDeveloper\BetterDocs\Core\FAQBuilderclass (instantiated via the container) hooks intorest_api_initin its__constructmethod, calling$this->register_api_endpoint. - Route Setup: Inside
register_api_endpoint(found inincludes/Core/FAQBuilder.php), routes are registered usingregister_rest_route. - Missing Check: The
register_rest_routecalls likely omit thepermission_callbackargument or set it to__return_true, making the endpoint accessible to anyone. - Data Retrieval: The callback for these routes (e.g., fetching categories or search results) retrieves terms or posts using standard WordPress functions (like
get_termsorWP_Query) without enforcing visibility restrictions or stripping sensitive metadata registered viaregister_term_metaorregister_post_meta.
4. Nonce Acquisition Strategy
This vulnerability typically involves REST API endpoints that do not require a nonce for GET requests if the permission_callback is missing.
However, if a nonce is required for the REST API (standard wp_rest nonce), it can be obtained as follows:
- Identify Script Localization: BetterDocs localizes data in
includes/Core/Scripts.php(referenced inPlugin.php). - Shortcode Page: Create a page containing the BetterDocs Search or Category shortcode.
- Command:
wp post create --post_type=page --post_status=publish --post_title="Docs" --post_content='[betterdocs_search_form]'
- Command:
- Extraction:
- Navigate to the new page.
- Use
browser_evalto extract the nonce from the global JavaScript object (likelybetterdocs_settingsorbetterdocs_ajax). - Script:
browser_eval("window.betterdocs_settings?.nonce")orbrowser_eval("window.betterdocs_ajax?.nonce").
5. Exploitation Strategy
The goal is to extract information about FAQ categories and posts that are not publicly visible.
Step 1: Discover REST Routes
Access the REST API index to confirm the available routes in the betterdocs namespace.
- Request:
GET /wp-json/betterdocs/v1 - Tool:
http_request
Step 2: Information Disclosure (Categories)
Query the FAQ categories endpoint.
- Request:
GET /wp-json/betterdocs/v1/faq-categories - Tool:
http_request - Expected Payload: No parameters needed.
Step 3: Information Disclosure (Search/Metadata)
Query the search endpoint to find content and associated metadata.
- Request:
GET /wp-json/betterdocs/v1/search?s= - Tool:
http_request
6. Test Data Setup
To prove information exposure, create content that should be hidden:
- Create Private FAQ Category:
wp term create betterdocs_faq_category "Internal Secrets" --description="This should not be seen" - Create Private FAQ Post:
wp post create --post_type=betterdocs_faq --post_status=private --post_title="Internal Admin Password Policy" --post_content="Keep it secret." - Set Metadata:
# Assign the private FAQ to the category (replace IDs accordingly) wp post term set <POST_ID> betterdocs_faq_category <TERM_ID>
7. Expected Results
- A successful exploit will return a JSON response containing the "Internal Secrets" category name and description, even though the user is unauthenticated.
- The response might also include internal ordering metadata (
_betterdocs_faq_order) or status flags (status) registered inFAQBuilder.phplines 105-108. - If the vulnerability extends to search, the private post title "Internal Admin Password Policy" may appear in the results.
8. Verification Steps
- Verify Unauthenticated Access:
- Use
http_requestto call/wp-json/betterdocs/v1/faq-categories. - Ensure no cookies or
X-WP-Nonceheaders are sent.
- Use
- Check for Sensitive Data:
- Confirm the string "Internal Secrets" is present in the JSON body.
- Verify Post Metadata Exposure:
- Check if the JSON contains keys like
order,status, or_betterdocs_faq_orderwhich are internal plugin configurations.
- Check if the JSON contains keys like
9. Alternative Approaches
If /faq-categories is protected, attempt to access:
/wp-json/betterdocs/v1/docs-categories/wp-json/betterdocs/v1/get-settings(if the plugin exposes its settings via REST for the admin UI)/wp-json/wp/v2/betterdocs_faq(Check if the default WP REST endpoint for the custom post type is inadvertently left public despitepublic => falseinregister_post_type).
Summary
The BetterDocs plugin for WordPress (up to 4.3.10) exposes sensitive internal information through several REST API endpoints that lack proper permission checks. Unauthenticated attackers can access these routes to retrieve draft FAQ posts, internal category structures, and metadata that should be restricted to administrative users.
Vulnerable Code
// includes/Core/FAQBuilder.php line 249 register_rest_route( $this->namespace . '/v1', '/faq-posts', [ 'methods' => [ 'GET' ], 'callback' => [ $this, 'fetch_faq_posts' ], 'permission_callback' => '__return_true' ] ); --- // includes/Core/FAQBuilder.php line 364 register_rest_route( $this->namespace . '/v1', '/uncategorised-faq', [ 'methods' => [ 'GET' ], 'callback' => [ $this, 'get_uncategorised_faq' ], 'permission_callback' => '__return_true' ] ); --- // includes/Core/FAQBuilder.php line 676 return get_posts( [ 'post_type' => 'betterdocs_faq', 'post_status' => [ 'publish', 'draft' ], 'posts_per_page' => -1, // ... ] );
Security Fix
@@ -246,7 +246,9 @@ [ 'methods' => [ 'GET' ], 'callback' => [ $this, 'fetch_faq_posts' ], - 'permission_callback' => '__return_true' + 'permission_callback' => function () { + return current_user_can( 'edit_others_posts' ); + } ] ); @@ -364,7 +366,9 @@ [ 'methods' => [ 'GET' ], 'callback' => [ $this, 'get_uncategorised_faq' ], - 'permission_callback' => '__return_true' + 'permission_callback' => function () { + return current_user_can( 'edit_others_posts' ); + } ] ); @@ -374,11 +378,14 @@ [ 'methods' => [ 'GET' ], 'callback' => [ $this, 'category_search' ], - 'permission_callback' => '__return_true', + 'permission_callback' => function () { + return current_user_can( 'edit_others_posts' ); + }, 'args' => [ 'title' => [ - 'type' => 'string', - 'required' => true + 'type' => 'string', + 'required' => true, + 'sanitize_callback' => 'sanitize_text_field' ] ] ] @@ -669,7 +676,7 @@ return get_posts( [ 'post_type' => 'betterdocs_faq', - 'post_status' => [ 'publish', 'draft' ], + 'post_status' => current_user_can( 'edit_others_posts' ) ? [ 'publish', 'draft' ] : 'publish', 'posts_per_page' => -1, 'tax_query' => [ 'relation' => 'AND',
Exploit Outline
To exploit this vulnerability, an unauthenticated attacker simply needs to send a GET request to the vulnerable WordPress REST API endpoints registered by BetterDocs. 1. Target the endpoint `/wp-json/betterdocs/v1/faq-posts` or `/wp-json/betterdocs/v1/category-search`. 2. No authentication tokens or cookies are required because the `permission_callback` for these routes is set to `__return_true` in affected versions. 3. The payload for `/category-search` requires a `title` parameter (e.g., `?title=a`). 4. The response will include data that should not be public, such as FAQ posts with a status of 'draft' and internal term metadata including 'order', 'status', and '_betterdocs_faq_order'.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.