SQL Injection Vulnerability in BetterDocs Pro Plugin for WordPress
CVE-2026-4348

7.5HIGH

Key Information:

Vendor: WordPress
Status: Betterdocs Pro
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-4348?

A vulnerability exists in the BetterDocs Pro plugin for WordPress that allows SQL Injection through the get_current_letter_docs and docs_sort_by_letter AJAX actions. This flaw arises from the improper handling of the limit POST parameter, which is directly injected into a SQL query. As a result, unauthenticated attackers can manipulate existing queries to extract sensitive information from the database. To exploit this vulnerability, users must have the Encyclopedia feature enabled in their BetterDocs Pro settings.

Affected Version(s)

BetterDocs Pro 0 <= 3.7.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://betterdocs.co/changelog/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Mar 17, 2026

Credit

Phú

CVE-2026-4348 Data

JSON