{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/betterdocs-pro-plugin/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-4348"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BetterDocs Pro plugin"],"_cs_severities":["high"],"_cs_tags":["sqli","wordpress","plugin","cve-2026-4348"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe BetterDocs Pro plugin for WordPress, a popular solution for knowledge base management, is susceptible to a critical SQL Injection vulnerability. This flaw affects all versions up to and including 3.7.0. The vulnerability resides in the \u003ccode\u003eget_current_letter_docs\u003c/code\u003e and \u003ccode\u003edocs_sort_by_letter\u003c/code\u003e AJAX actions. A critical prerequisite for exploitation is that the Encyclopedia feature must be enabled within the BetterDocs Pro settings panel. Successful exploitation enables unauthenticated attackers to inject arbitrary SQL queries, potentially leading to sensitive data exfiltration from the WordPress database. This poses a significant risk to the confidentiality and integrity of affected WordPress sites.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using BetterDocs Pro with the Encyclopedia feature enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes the \u003ccode\u003eaction\u003c/code\u003e parameter set to either \u003ccode\u003eget_current_letter_docs\u003c/code\u003e or \u003ccode\u003edocs_sort_by_letter\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious SQL code into the \u003ccode\u003elimit\u003c/code\u003e POST parameter. This parameter is directly interpolated into a SQL query without proper sanitization using \u003ccode\u003e$wpdb-\u0026gt;prepare()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe WordPress server processes the request, executing the attacker-controlled SQL query against the database.\u003c/li\u003e\n\u003cli\u003eThe injected SQL query extracts sensitive information, such as user credentials, configuration data, or other confidential content stored in the database.\u003c/li\u003e\n\u003cli\u003eThe extracted data is returned to the attacker in the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the exfiltrated data for valuable information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL Injection vulnerability can lead to complete compromise of the WordPress database. Attackers can steal sensitive data, including user credentials, API keys, and other confidential information. This could lead to unauthorized access to the WordPress site, data breaches, and potential financial losses. This vulnerability has a CVSS v3.1 base score of 7.5, highlighting the significant risk it poses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the BetterDocs Pro plugin to a version greater than 3.7.0 to patch CVE-2026-4348.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect BetterDocs Pro SQL Injection Attempt via limit Parameter\u0026rdquo; to your SIEM to detect exploitation attempts targeting the vulnerable AJAX actions.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003eget_current_letter_docs\u003c/code\u003e or \u003ccode\u003edocs_sort_by_letter\u003c/code\u003e and potentially malicious SQL code in the \u003ccode\u003elimit\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T06:16:05Z","date_published":"2026-05-07T06:16:05Z","id":"/briefs/2026-05-betterdocs-sqli/","summary":"The BetterDocs Pro plugin for WordPress is vulnerable to SQL Injection via the `get_current_letter_docs` and `docs_sort_by_letter` AJAX actions, allowing unauthenticated attackers to extract sensitive information from the database.","title":"BetterDocs Pro Plugin SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-betterdocs-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — BetterDocs Pro Plugin","version":"https://jsonfeed.org/version/1.1"}