CVE-2026-42644

BetterDocs <= 4.3.10 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
4.3.11
Patched in
56d
Time to patch

Description

The BetterDocs – Knowledge Base Docs & FAQ Solution for Elementor & Block Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.10. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=4.3.10
PublishedMarch 18, 2026
Last updatedMay 12, 2026
Affected pluginbetterdocs

What Changed in the Fix

Changes introduced in v4.3.11

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Research Plan: CVE-2026-42644 - BetterDocs Unauthenticated Information Exposure ## 1. Vulnerability Summary The **BetterDocs** plugin (up to 4.3.10) contains a sensitive information exposure vulnerability. The issue stems from the registration of REST API endpoints that fail to implement proper `…

Show full research plan

Research Plan: CVE-2026-42644 - BetterDocs Unauthenticated Information Exposure

1. Vulnerability Summary

The BetterDocs plugin (up to 4.3.10) contains a sensitive information exposure vulnerability. The issue stems from the registration of REST API endpoints that fail to implement proper permission_callback checks. This allows unauthenticated users to access routes that disclose data such as internal FAQ categories, post metadata, and potentially configuration or user details that should be restricted to authenticated administrators.

2. Attack Vector Analysis

  • Endpoint: WordPress REST API under the betterdocs/v1 namespace.
  • Vulnerable Routes:
    • /wp-json/betterdocs/v1/faq-categories
    • /wp-json/betterdocs/v1/search
  • HTTP Method: GET
  • Authentication: None required (Unauthenticated).
  • Preconditions: The plugin must be active, and at least one FAQ or Category must exist (even if marked as private/draft).

3. Code Flow

  1. Initialization: In includes/Plugin.php, the plugin hooks into rest_api_init via the api_initialization method.
  2. Registration: The WPDeveloper\BetterDocs\Core\FAQBuilder class (instantiated via the container) hooks into rest_api_init in its __construct method, calling $this->register_api_endpoint.
  3. Route Setup: Inside register_api_endpoint (found in includes/Core/FAQBuilder.php), routes are registered using register_rest_route.
  4. Missing Check: The register_rest_route calls likely omit the permission_callback argument or set it to __return_true, making the endpoint accessible to anyone.
  5. Data Retrieval: The callback for these routes (e.g., fetching categories or search results) retrieves terms or posts using standard WordPress functions (like get_terms or WP_Query) without enforcing visibility restrictions or stripping sensitive metadata registered via register_term_meta or register_post_meta.

4. Nonce Acquisition Strategy

This vulnerability typically involves REST API endpoints that do not require a nonce for GET requests if the permission_callback is missing.

However, if a nonce is required for the REST API (standard wp_rest nonce), it can be obtained as follows:

  1. Identify Script Localization: BetterDocs localizes data in includes/Core/Scripts.php (referenced in Plugin.php).
  2. Shortcode Page: Create a page containing the BetterDocs Search or Category shortcode.
    • Command: wp post create --post_type=page --post_status=publish --post_title="Docs" --post_content='[betterdocs_search_form]'
  3. Extraction:
    • Navigate to the new page.
    • Use browser_eval to extract the nonce from the global JavaScript object (likely betterdocs_settings or betterdocs_ajax).
    • Script: browser_eval("window.betterdocs_settings?.nonce") or browser_eval("window.betterdocs_ajax?.nonce").

5. Exploitation Strategy

The goal is to extract information about FAQ categories and posts that are not publicly visible.

Step 1: Discover REST Routes

Access the REST API index to confirm the available routes in the betterdocs namespace.

  • Request: GET /wp-json/betterdocs/v1
  • Tool: http_request

Step 2: Information Disclosure (Categories)

Query the FAQ categories endpoint.

  • Request: GET /wp-json/betterdocs/v1/faq-categories
  • Tool: http_request
  • Expected Payload: No parameters needed.

Step 3: Information Disclosure (Search/Metadata)

Query the search endpoint to find content and associated metadata.

  • Request: GET /wp-json/betterdocs/v1/search?s=
  • Tool: http_request

6. Test Data Setup

To prove information exposure, create content that should be hidden:

  1. Create Private FAQ Category:
    wp term create betterdocs_faq_category "Internal Secrets" --description="This should not be seen"
    
  2. Create Private FAQ Post:
    wp post create --post_type=betterdocs_faq --post_status=private --post_title="Internal Admin Password Policy" --post_content="Keep it secret."
    
  3. Set Metadata:
    # Assign the private FAQ to the category (replace IDs accordingly)
    wp post term set <POST_ID> betterdocs_faq_category <TERM_ID>
    

7. Expected Results

  • A successful exploit will return a JSON response containing the "Internal Secrets" category name and description, even though the user is unauthenticated.
  • The response might also include internal ordering metadata (_betterdocs_faq_order) or status flags (status) registered in FAQBuilder.php lines 105-108.
  • If the vulnerability extends to search, the private post title "Internal Admin Password Policy" may appear in the results.

8. Verification Steps

  1. Verify Unauthenticated Access:
    • Use http_request to call /wp-json/betterdocs/v1/faq-categories.
    • Ensure no cookies or X-WP-Nonce headers are sent.
  2. Check for Sensitive Data:
    • Confirm the string "Internal Secrets" is present in the JSON body.
  3. Verify Post Metadata Exposure:
    • Check if the JSON contains keys like order, status, or _betterdocs_faq_order which are internal plugin configurations.

9. Alternative Approaches

If /faq-categories is protected, attempt to access:

  • /wp-json/betterdocs/v1/docs-categories
  • /wp-json/betterdocs/v1/get-settings (if the plugin exposes its settings via REST for the admin UI)
  • /wp-json/wp/v2/betterdocs_faq (Check if the default WP REST endpoint for the custom post type is inadvertently left public despite public => false in register_post_type).
Research Findings
Static analysis — not yet PoC-verified

Summary

The BetterDocs plugin for WordPress (up to 4.3.10) exposes sensitive internal information through several REST API endpoints that lack proper permission checks. Unauthenticated attackers can access these routes to retrieve draft FAQ posts, internal category structures, and metadata that should be restricted to administrative users.

Vulnerable Code

// includes/Core/FAQBuilder.php line 249
register_rest_route(
	$this->namespace . '/v1',
	'/faq-posts',
	[
		'methods'             => [ 'GET' ],
		'callback'            => [ $this, 'fetch_faq_posts' ],
		'permission_callback' => '__return_true'
	]
);

---

// includes/Core/FAQBuilder.php line 364
register_rest_route(
	$this->namespace . '/v1',
	'/uncategorised-faq',
	[
		'methods'             => [ 'GET' ],
		'callback'            => [ $this, 'get_uncategorised_faq' ],
		'permission_callback' => '__return_true'
	]
);

---

// includes/Core/FAQBuilder.php line 676
return get_posts(
	[
		'post_type'      => 'betterdocs_faq',
		'post_status'    => [ 'publish', 'draft' ],
		'posts_per_page' => -1,
		// ...
	]
);

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/betterdocs/4.3.10/includes/Core/FAQBuilder.php /home/deploy/wp-safety.org/data/plugin-versions/betterdocs/4.3.11/includes/Core/FAQBuilder.php
--- /home/deploy/wp-safety.org/data/plugin-versions/betterdocs/4.3.10/includes/Core/FAQBuilder.php	2025-01-21 06:19:26.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/betterdocs/4.3.11/includes/Core/FAQBuilder.php	2026-04-15 06:50:22.000000000 +0000
@@ -246,7 +246,9 @@
 			[
 				'methods'             => [ 'GET' ],
 				'callback'            => [ $this, 'fetch_faq_posts' ],
-				'permission_callback' => '__return_true'
+				'permission_callback' => function () {
+					return current_user_can( 'edit_others_posts' );
+				}
 			]
 		);
 
@@ -364,7 +366,9 @@
 			[
 				'methods'             => [ 'GET' ],
 				'callback'            => [ $this, 'get_uncategorised_faq' ],
-				'permission_callback' => '__return_true'
+				'permission_callback' => function () {
+					return current_user_can( 'edit_others_posts' );
+				}
 			]
 		);
 
@@ -374,11 +378,14 @@
 			[
 				'methods'             => [ 'GET' ],
 				'callback'            => [ $this, 'category_search' ],
-				'permission_callback' => '__return_true',
+				'permission_callback' => function () {
+					return current_user_can( 'edit_others_posts' );
+				},
 				'args'                => [
 					'title' => [
-						'type'     => 'string',
-						'required' => true
+						'type'              => 'string',
+						'required'          => true,
+						'sanitize_callback' => 'sanitize_text_field'
 					]
 				]
 			]
@@ -669,7 +676,7 @@
 		return get_posts(
 			[
 				'post_type'      => 'betterdocs_faq',
-				'post_status'    => [ 'publish', 'draft' ],
+				'post_status'    => current_user_can( 'edit_others_posts' ) ? [ 'publish', 'draft' ] : 'publish',
 				'posts_per_page' => -1,
 				'tax_query'      => [
 					'relation' => 'AND',

Exploit Outline

To exploit this vulnerability, an unauthenticated attacker simply needs to send a GET request to the vulnerable WordPress REST API endpoints registered by BetterDocs. 1. Target the endpoint `/wp-json/betterdocs/v1/faq-posts` or `/wp-json/betterdocs/v1/category-search`. 2. No authentication tokens or cookies are required because the `permission_callback` for these routes is set to `__return_true` in affected versions. 3. The payload for `/category-search` requires a `title` parameter (e.g., `?title=a`). 4. The response will include data that should not be public, such as FAQ posts with a status of 'draft' and internal term metadata including 'order', 'status', and '_betterdocs_faq_order'.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.