CVE-2026-6393: Auth bypass drains OpenAI API quota

CISO Take

CVE-2026-6393 affects the BetterDocs WordPress plugin (versions ≤4.3.11), where the AI content generation endpoint validates only a WordPress nonce without checking user capabilities, allowing any subscriber-level authenticated user to trigger OpenAI API calls with arbitrary prompts using the site owner's configured API key. While rated CVSS 4.3 (medium) and absent from CISA KEV, this flaw sits at the 92nd EPSS percentile and requires only the lowest-privilege WordPress role to exploit — making it accessible to virtually any registered site user with no technical sophistication required. The primary risk is financial and operational: sustained abuse can exhaust paid OpenAI quota, generate unexpected billing charges, and degrade AI-powered documentation features for legitimate users. Organizations running BetterDocs with OpenAI integration should update immediately to version 4.3.12 or later, rotate the OpenAI API key if compromise is suspected, and audit API usage logs for anomalous token consumption spikes.

Sources: NVD EPSS ATLAS Wordfence

What is the risk?

Low-to-medium severity by CVSS, but operationally significant for WordPress deployments with active OpenAI API integrations. The missing capability check (CWE-862) requires only subscriber-level authentication — effectively the lowest-privilege WordPress role — with no special tooling or AI knowledge needed. Risk scales directly with the site's OpenAI spending limits and registered user base size. Organizations with open user registration and high OpenAI API quotas face the greatest exposure. The vulnerability represents a systemic gap common in WordPress plugins that bolt on AI capabilities without revisiting authorization models.

How does the attack unfold?

Initial Access

Attacker registers or uses an existing subscriber-level WordPress account on the target site running BetterDocs ≤4.3.11.

AML.T0012

Exploitation

Attacker extracts a valid nonce from BetterDocs page source and crafts POST requests to the generate_openai_content_callback() AJAX endpoint, bypassing all capability checks.

AML.T0049

AI API Abuse

The site's OpenAI API key is used to fulfill all attacker-supplied prompts without authorization checks, granting effective inference API access to the attacker.

AML.T0040

Impact

Sustained high-volume API calls exhaust the site owner's paid OpenAI quota, generating unexpected charges and disabling AI documentation features for legitimate users.

AML.T0034

Initial Access

Attacker registers or uses an existing subscriber-level WordPress account on the target site running BetterDocs ≤4.3.11.

AML.T0012

Exploitation

Attacker extracts a valid nonce from BetterDocs page source and crafts POST requests to the generate_openai_content_callback() AJAX endpoint, bypassing all capability checks.

AML.T0049

AI API Abuse

The site's OpenAI API key is used to fulfill all attacker-supplied prompts without authorization checks, granting effective inference API access to the attacker.

AML.T0040

Impact

Sustained high-volume API calls exhaust the site owner's paid OpenAI quota, generating unexpected charges and disabling AI documentation features for legitimate users.

AML.T0034

How severe is it?

CVSS 3.1

4.3 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 12% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I Low

A None

What should I do?

6 steps

Update BetterDocs to version 4.3.12 or higher immediately — the patch adds proper capability checks to generate_openai_content_callback().
Rotate the OpenAI API key configured in BetterDocs settings if any unauthorized usage is suspected; issue a new key with usage limits.
Audit OpenAI API usage dashboard for anomalous spikes in token consumption, especially from your WordPress site's referrer.
Set hard OpenAI API usage caps and budget alerts in the OpenAI platform to limit financial exposure from future abuse.
Review WordPress user registration settings — restrict open subscriber registration if not operationally required.
For detection: monitor WordPress admin logs for high-frequency AJAX calls to wp-admin/admin-ajax.php targeting BetterDocs actions from subscriber-level users.

How is it classified?

Auth Bypass DoS Data Extraction API Plugin AML.T0012 - Valid Accounts AML.T0034 - Cost Harvesting AML.T0034.000 - Excessive Queries AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.1 - AI System Access Control and Authorization A.9.1 - Third-Party AI API Governance

NIST AI RMF

GOVERN 1.1 - AI Risk Policies and Access Procedures MANAGE 2.2 - AI System Monitoring and Anomaly Detection

OWASP LLM Top 10

LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2026-6393?

CVE-2026-6393 affects the BetterDocs WordPress plugin (versions ≤4.3.11), where the AI content generation endpoint validates only a WordPress nonce without checking user capabilities, allowing any subscriber-level authenticated user to trigger OpenAI API calls with arbitrary prompts using the site owner's configured API key. While rated CVSS 4.3 (medium) and absent from CISA KEV, this flaw sits at the 92nd EPSS percentile and requires only the lowest-privilege WordPress role to exploit — making it accessible to virtually any registered site user with no technical sophistication required. The primary risk is financial and operational: sustained abuse can exhaust paid OpenAI quota, generate unexpected billing charges, and degrade AI-powered documentation features for legitimate users. Organizations running BetterDocs with OpenAI integration should update immediately to version 4.3.12 or later, rotate the OpenAI API key if compromise is suspected, and audit API usage logs for anomalous token consumption spikes.

Is CVE-2026-6393 actively exploited?

No confirmed active exploitation of CVE-2026-6393 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-6393?

1. Update BetterDocs to version 4.3.12 or higher immediately — the patch adds proper capability checks to generate_openai_content_callback(). 2. Rotate the OpenAI API key configured in BetterDocs settings if any unauthorized usage is suspected; issue a new key with usage limits. 3. Audit OpenAI API usage dashboard for anomalous spikes in token consumption, especially from your WordPress site's referrer. 4. Set hard OpenAI API usage caps and budget alerts in the OpenAI platform to limit financial exposure from future abuse. 5. Review WordPress user registration settings — restrict open subscriber registration if not operationally required. 6. For detection: monitor WordPress admin logs for high-frequency AJAX calls to wp-admin/admin-ajax.php targeting BetterDocs actions from subscriber-level users.

What systems are affected by CVE-2026-6393?

This vulnerability affects the following AI/ML architecture patterns: WordPress AI content generation plugins, LLM API integrations via third-party CMS plugins, Plugin-based AI agent frameworks, AI-assisted CMS and documentation deployments.

What is the CVSS score for CVE-2026-6393?

CVE-2026-6393 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.21%.

What is the AI security impact?

Affected AI Architectures

WordPress AI content generation pluginsLLM API integrations via third-party CMS pluginsPlugin-based AI agent frameworksAI-assisted CMS and documentation deployments

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0034 Cost Harvesting

AML.T0034.000 Excessive Queries

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.1, A.9.1

NIST AI RMF: GOVERN 1.1, MANAGE 2.2

OWASP LLM Top 10: LLM10:2025

What are the technical details?

Original Advisory

The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai_content_callback() function, which relies solely on a nonce rather than verifying user permissions. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger OpenAI API calls using the site's configured API key with arbitrary user-controlled prompts, leading to unauthorized consumption of the site owner's paid AI API quota.

Exploitation Scenario

An attacker targeting a WordPress documentation site using BetterDocs registers as a subscriber — a role commonly enabled for community portals. After login, the attacker loads any BetterDocs page to obtain a valid nonce from the page source or JavaScript, then scripts a loop of POST requests to the WordPress AJAX endpoint targeting the generate_openai_content_callback action with arbitrary user-controlled prompt payloads. Since no capability check validates whether the requester has permission to invoke AI features, the site's OpenAI API key processes every request. The attacker can send thousands of resource-intensive prompts, drain the site owner's paid quota within hours, and if the site lacks billing alerts, accumulate significant unexpected API charges before detection.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.