Medium severity4.3NVD Advisory· Published Apr 24, 2026· Updated Apr 24, 2026
CVE-2026-6393
CVE-2026-6393
Description
The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai_content_callback() function, which relies solely on a nonce rather than verifying user permissions. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger OpenAI API calls using the site's configured API key with arbitrary user-controlled prompts, leading to unauthorized consumption of the site owner's paid AI API quota.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/betterdocs/tags/4.3.6/includes/Core/WriteWithAI.phpnvd
- plugins.trac.wordpress.org/browser/betterdocs/tags/4.3.6/includes/Core/WriteWithAI.phpnvd
- plugins.trac.wordpress.org/browser/betterdocs/trunk/includes/Core/WriteWithAI.phpnvd
- plugins.trac.wordpress.org/browser/betterdocs/trunk/includes/Core/WriteWithAI.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/432b11be-174d-45d6-aa3b-2fbfa85ec17anvd
News mentions
3- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 4, 2026 to May 10, 2026)Wordfence Blog · May 14, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 20, 2026 to April 26, 2026)Wordfence Blog · Apr 30, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 13, 2026 to April 19, 2026)Wordfence Blog · Apr 23, 2026