{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3875", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-10T10:33:26.535Z", "datePublished": "2026-04-16T06:44:51.744Z", "dateUpdated": "2026-04-16T06:44:51.744Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T06:44:51.744Z"}, "affected": [{"vendor": "wpdevteam", "product": "BetterDocs \u2013 Knowledge Base Docs & FAQ Solution for Elementor & Block Editor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.3.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The BetterDocs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'betterdocs_feedback_form' shortcode in all versions up to, and including, 4.3.8. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "BetterDocs <= 4.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5b7e4c3c-a12e-4b11-9673-79a7060052a8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=betterdocs/tags/4.3.8/views/shortcodes/feedback-form.php&new_path=betterdocs/tags/4.3.9/views/shortcodes/feedback-form.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-02-26T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-03-10T10:53:09.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-15T18:25:01.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The BetterDocs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'betterdocs_feedback_form' shortcode in all versions up to, and including, 4.3.8. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-3875", "lastModified": "2026-04-16T07:16:30.207", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-16T07:16:30.207", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=betterdocs/tags/4.3.8/views/shortcodes/feedback-form.php&new_path=betterdocs/tags/4.3.9/views/shortcodes/feedback-form.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5b7e4c3c-a12e-4b11-9673-79a7060052a8?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.3.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "BetterDocs \u2013 Knowledge Base Docs & FAQ Solution for Elementor & Block Editor", "source": "cna", "vendor": "wpdevteam"}, "product": "betterdocs_\u2013__knowledge_base_docs_&_faq_solution_for_elementor_&_block_editor", "vendor": "wpdevteam"}], "analysis": {"en": {"generated_at": "2026-04-16T08:51:27.665526+00:00", "value": {"mitigation_remediation": ["Upgrade BetterDocs to version 4.3.9 or later to remove the vulnerable shortcode handling code.", "If an upgrade is not available, immediately remove or disable the 'betterdocs_feedback_form' shortcode from any content that contributors can edit.", "Apply a web\u2011application firewall or content\u2011security policy rule to block or strip script tags from shortcode attribute values until a patch is applied."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting via shortcode attributes"}, "threat_synthesis": {"affected_systems": "BetterDocs plugin for WordPress, versions 4.3.8 and earlier, distributed by wpdevteam. The vulnerability applies to sites that use the feedback form shortcode in any page or post.", "description_and_impact": "The BetterDocs WordPress plugin contains a stored cross\u2011site scripting flaw in the 'betterdocs_feedback_form' shortcode. Insufficient sanitization and escaping of user\u2011supplied shortcode attributes allow attackers to inject arbitrary scripts. Once injected, the malicious code executes whenever an authenticated contributor or higher\u2010privileged user accesses the page, potentially leading to session hijacking, data theft, or defacement. The weakness is a classic input validation error (CWE\u201179).", "risk_and_exploitability": "The flaw scores a moderate CVSS 6.4, with no EPSS data and no listing in the CISA KEV catalog, indicating some risk but not a known widespread exploitation. Attack requires authenticated access at the contributor level or higher; the attacker then supplies malicious shortcode attributes. The impact is limited to the contents of the site, but the stored nature means the payload persists until removed or the plugin is upgraded."}}}}, "created": "2026-04-16T09:00:05.289033+00:00", "updated": "2026-04-16T09:11:38.260313+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpdevteam", "wpdevteam$PRODUCT$betterdocs_\u2013__knowledge_base_docs_&_faq_solution_for_elementor_&_block_editor"]}