SQL Injection Vulnerability in BetterDocs Plugin for WordPress
CVE-2026-15104

6.5MEDIUM

What is CVE-2026-15104?

The BetterDocs plugin for WordPress is susceptible to SQL injection via the 'lang' parameter in all versions up to 4.6.0. This vulnerability arises from inadequate escaping of user-supplied parameters and insufficient preparation of the SQL query. Authenticated attackers with custom-level access or higher can exploit this flaw to inject additional SQL queries, potentially compromising sensitive database information. This vulnerability’s exploitability is conditional upon the activation of a compatible multilingual plugin, such as WPML, Polylang, qTranslate, Weglot, or TranslatePress.

Affected Version(s)

BetterDocs – AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot 0 <= 4.6.0

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

PRISM
.