CVE-2025-14980 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

Any WordPress deployment running BetterDocs ≤4.3.3 with OpenAI integration is leaking its API key to every contributor-level user. Patch to 4.3.4 immediately and rotate the OpenAI API key — assume it is compromised. Set OpenAI spending limits and audit API logs for unauthorized queries before you close the incident.

Risk Assessment

Rated CVSS 6.5 but practical impact is higher in AI-integrated environments. Contributor access is low-barrier in content-heavy WordPress sites that allow user registration. The exposed OpenAI API key enables unlimited inference at the victim's expense, potential exfiltration of assistant configurations or fine-tuned model behavior, and unbounded cost accumulation. Exploitability is trivial — no specialized tooling required.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 4% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

Recommended Action

1 step

1) Patch immediately: update BetterDocs to 4.3.4+. 2) Rotate the OpenAI API key in the OpenAI dashboard — treat the existing key as fully compromised. 3) Set API spending limits and anomaly alerts in the OpenAI account. 4) Audit OpenAI API usage logs for unauthorized queries during the exposure window. 5) Review contributor-level WordPress accounts for unauthorized access or account creation. 6) Scan other installed WordPress plugins for similar credential exposure patterns using tools like WPScan or a code audit.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Leakage Data Extraction Auth Bypass API Plugin AML.T0034 - Cost Harvesting AML.T0040 - AI Model Inference API Access AML.T0048.000 - Financial Harm AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0091.000 - Application Access Token

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Article 9 - Risk Management System

ISO 42001

A.6.2.6 - AI System Security A.9.2 - Information security controls for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-14980?

Any WordPress deployment running BetterDocs ≤4.3.3 with OpenAI integration is leaking its API key to every contributor-level user. Patch to 4.3.4 immediately and rotate the OpenAI API key — assume it is compromised. Set OpenAI spending limits and audit API logs for unauthorized queries before you close the incident.

Is CVE-2025-14980 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-14980, increasing the risk of exploitation.

How to fix CVE-2025-14980?

1) Patch immediately: update BetterDocs to 4.3.4+. 2) Rotate the OpenAI API key in the OpenAI dashboard — treat the existing key as fully compromised. 3) Set API spending limits and anomaly alerts in the OpenAI account. 4) Audit OpenAI API usage logs for unauthorized queries during the exposure window. 5) Review contributor-level WordPress accounts for unauthorized access or account creation. 6) Scan other installed WordPress plugins for similar credential exposure patterns using tools like WPScan or a code audit.

What systems are affected by CVE-2025-14980?

This vulnerability affects the following AI/ML architecture patterns: LLM API integrations, WordPress AI plugins, knowledge base and documentation systems, plugin frameworks.

What is the CVSS score for CVE-2025-14980?

CVE-2025-14980 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive data including the OpenAI API key stored in plugin settings.

Exploitation Scenario

An attacker registers or compromises a contributor-level account on a target WordPress site. They load any BetterDocs-enabled page and inspect the JavaScript sources rendered by the plugin's scripts() function, which embeds the OpenAI API key in plaintext in the frontend bundle. The attacker extracts the key in under five minutes without any specialized tooling. They immediately begin abusing the OpenAI API: sending high-volume queries to harvest costs, probing assistants for sensitive conversation history, or extracting fine-tuned model behavior. If the key grants access to OpenAI organization-level resources, lateral access to other team members' data is possible.