AI Threat Alert
CVE-2026-6393
MEDIUMThe BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai_content_callback() function, which relies solely on a nonce rather than verifying user permissions. This makes it...
Full CISO analysis pending enrichment.
Severity & Risk
Attack Surface
Recommended Action
No patch available
Monitor for updates. Consider compensating controls or temporary mitigations.
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is CVE-2026-6393?
The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai_content_callback() function, which relies solely on a nonce rather than verifying user permissions. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger OpenAI API calls using the site's configured API key with arbitrary user-controlled prompts, leading to unauthorized
Is CVE-2026-6393 actively exploited?
No confirmed active exploitation of CVE-2026-6393 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-6393?
No patch is currently available. Monitor vendor advisories for updates.
What is the CVSS score for CVE-2026-6393?
CVE-2026-6393 has a CVSS v3.1 base score of 4.3 (MEDIUM).
Technical Details
NVD Description
The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai_content_callback() function, which relies solely on a nonce rather than verifying user permissions. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger OpenAI API calls using the site's configured API key with arbitrary user-controlled prompts, leading to unauthorized consumption of the site owner's paid AI API quota.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N References
- plugins.trac.wordpress.org/browser/betterdocs/tags/4.3.6/includes/Core/WriteWithAI.php
- plugins.trac.wordpress.org/browser/betterdocs/tags/4.3.6/includes/Core/WriteWithAI.php
- plugins.trac.wordpress.org/browser/betterdocs/trunk/includes/Core/WriteWithAI.php
- plugins.trac.wordpress.org/browser/betterdocs/trunk/includes/Core/WriteWithAI.php
- plugins.trac.wordpress.org/changeset
- wordfence.com/threat-intel/vulnerabilities/id/432b11be-174d-45d6-aa3b-2fbfa85ec17a