CVE-2026-6393: The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This
mediumvulnerabilityLLM-Specific
security
Summary
The BetterDocs plugin for WordPress (versions up to 4.3.11) has a security flaw where the generate_openai_content_callback() function checks for a nonce (a security token that verifies a request is legitimate) but doesn't verify that the user has permission to perform the action. This allows any authenticated user with subscriber-level access or higher to make the plugin call OpenAI's AI service using the site owner's API key and paid quota, even though they shouldn't have that permission.
Vulnerability Details
CVSS Score
4.3(medium)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
network
Attack Complexity
low
Privileges Required
low
User Interaction
none
Disclosure Date
April 24, 2026
Classification
Attack Type
Other
Attack SophisticationTrivial
Impact (CIA+S)
integrityavailability
Affected Vendors
OpenAI
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-6393
First tracked: April 24, 2026 at 08:10 AM
Classified by LLM (prompt v3) · confidence: 92%