CVE-2026-7515: BetterDocs Pro WordPress Plugin — Unauthenticated Local File Inclusion

Unauthenticated LFI in BetterDocs Pro Enables Full Server Compromise

The BetterDocs Pro plugin for WordPress is affected by a critical Local File Inclusion (LFI) vulnerability tracked as CVE-2026-7515, disclosed to the National Vulnerability Database (NVD) on June 19, 2026. The flaw carries a CVSS score of 9.8 (Critical) and affects all versions up to and including 3.8.0.

The vulnerability exists in the plugin's handling of the doc_style parameter. Because this parameter is not properly sanitized or validated before being used in a PHP include() or equivalent file inclusion call, unauthenticated attackers can supply a path to an arbitrary .php file on the server — causing WordPress to execute it with the web server's privileges.

BetterDocs Pro is a premium documentation and knowledge base plugin for WordPress used by thousands of sites to build self-service help centers and product documentation portals. The unauthenticated nature of this vulnerability means exploitation requires no account or prior access to the target site.

Vulnerability Details

How the Vulnerability Works

The doc_style Parameter

BetterDocs Pro uses a doc_style parameter — likely passed via a shortcode, AJAX request, or REST API endpoint — to control which template or style variant is loaded for documentation display. In vulnerable versions, this parameter value is passed directly (or with insufficient filtering) into a PHP file inclusion function:

// Vulnerable pattern (simplified)
include(BETTERDOCS_PLUGIN_PATH . '/templates/' . $_REQUEST['doc_style'] . '.php');

LFI to RCE Path

A successful LFI attack on a WordPress site can escalate to full Remote Code Execution (RCE) through several well-known techniques:

PHP file on the local filesystem: If the attacker can upload a file (e.g., through another plugin, the WordPress media library, or a contact form) containing PHP code, they can then reference it via the LFI to trigger execution:

doc_style=../../../../uploads/2026/06/malicious

PHP session file inclusion: PHP session files stored in /tmp/ may contain attacker-controlled content from prior web requests, which can be included and executed:

doc_style=../../../../../../tmp/sess_attackercontrolledvalue

Log file poisoning: Web server access logs that contain attacker-injected PHP code (via crafted User-Agent headers) can be included if the log path is known or guessable.

No Authentication Required

The critical aspect of CVE-2026-7515 is that exploitation requires zero authentication — the vulnerable endpoint is accessible to any HTTP client. This dramatically lowers the bar for mass exploitation, as automated scanners can identify and exploit vulnerable WordPress sites without any credential theft or account enumeration.

Impact Assessment

Recommendations

Immediate Actions

1. Update BetterDocs Pro immediately — check the plugin's changelog for a release above 3.8.0 that addresses this CVE
2. Deactivate the plugin if an update is not yet available and the plugin is not actively needed — deactivation prevents the vulnerable code from executing
3. Review file upload history — audit the WordPress media library and any custom upload directories for unexpected PHP files

Detection Guidance

Look for suspicious patterns in web server logs targeting BetterDocs Pro endpoints:

# Suspicious GET/POST with path traversal in doc_style
doc_style=../../
doc_style=....//....//
doc_style=/etc/passwd
doc_style=../../../../tmp/sess_

Monitor for:

• Unexpected new .php files appearing in the uploads directory
• PHP execution from within the WordPress uploads folder (should be blocked by .htaccess but often misconfigured)
• Database credential theft indicators (new admin users, unusual login activity)

Hardening Measures

• Block PHP execution in uploads: Ensure .htaccess rules prevent PHP execution within wp-content/uploads/:

  <FilesMatch "\.php$">
    Deny from all
  </FilesMatch>

  Copy

• Web Application Firewall: Deploy WAF rules to detect and block path traversal patterns in all input parameters
• Disable unused plugins: Reduce attack surface by deactivating any WordPress plugins not actively used
• WordPress file integrity monitoring: Use a security plugin or hosting-level file integrity monitoring to alert on unexpected file changes

WordPress Plugin Security Context

Local File Inclusion vulnerabilities in WordPress plugins are a persistent and recurring class of security issue. They are particularly dangerous because:

• WordPress is the world's most popular CMS — millions of sites share the same plugin ecosystem
• Plugin vulnerabilities affect all sites running the same version simultaneously
• Many WordPress sites have minimal security monitoring and delayed patching cycles
• The WordPress Plugin Directory and premium plugin marketplaces host thousands of plugins with varying security quality

Plugin authors are encouraged to use sanitize_file_name(), basename() with absolute path validation, and WordPress-native locate_template() or similar controlled-path loading mechanisms rather than directly incorporating user input into file inclusion calls.

Key Takeaways

1. CVE-2026-7515 is a CVSS 9.8 critical LFI — affecting BetterDocs Pro WordPress plugin versions up to 3.8.0, exploitable with zero authentication
2. The doc_style parameter allows attackers to specify arbitrary file paths that PHP includes and executes
3. LFI chains to RCE via file upload + inclusion, session file poisoning, or log file injection — a well-established exploitation pathway
4. Immediate plugin update is mandatory — unauthenticated, critical-severity WordPress plugin flaws are routinely mass-exploited within hours of disclosure
5. Deactivate if patching is delayed — a deactivated plugin cannot be exploited; business impact of temporary deactivation is far lower than a site compromise

Sources

• CVE-2026-7515 — NVD