CVE-2025-14980 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

Any WordPress deployment running BetterDocs ≤4.3.3 with OpenAI integration is leaking its API key to every contributor-level user. Patch to 4.3.4 immediately and rotate the OpenAI API key — assume it is compromised. Set OpenAI spending limits and audit API logs for unauthorized queries before you close the incident.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1) Patch immediately: update BetterDocs to 4.3.4+. 2) Rotate the OpenAI API key in the OpenAI dashboard — treat the existing key as fully compromised. 3) Set API spending limits and anomaly alerts in the OpenAI account. 4) Audit OpenAI API usage logs for unauthorized queries during the exposure window. 5) Review contributor-level WordPress accounts for unauthorized access or account creation. 6) Scan other installed WordPress plugins for similar credential exposure patterns using tools like WPScan or a code audit.

Classification

Data Leakage Data Extraction Auth Bypass API Plugin AML.T0034 - Cost Harvesting AML.T0040 - AI Model Inference API Access AML.T0048.000 - Financial Harm AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0091.000 - Application Access Token

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Article 9 - Risk Management System

ISO 42001

A.6.2.6 - AI System Security A.9.2 - Information security controls for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design

Technical Details

NVD Description

The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive data including the OpenAI API key stored in plugin settings.

Exploitation Scenario

An attacker registers or compromises a contributor-level account on a target WordPress site. They load any BetterDocs-enabled page and inspect the JavaScript sources rendered by the plugin's scripts() function, which embeds the OpenAI API key in plaintext in the frontend bundle. The attacker extracts the key in under five minutes without any specialized tooling. They immediately begin abusing the OpenAI API: sending high-volume queries to harvest costs, probing assistants for sensitive conversation history, or extracting fine-tuned model behavior. If the key grants access to OpenAI organization-level resources, lateral access to other team members' data is possible.

Weaknesses (CWE)

CWE-200 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published

January 9, 2026

Last Modified

January 13, 2026

First Seen

January 9, 2026