External risk intelligence

BetterDocs Pro Local File Inclusion Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-7515

The vulnerability exists in a WordPress plugin. WordPress sites are frequently deployed as public-facing web applications, making this plugin's functionality and its associated parameters typically accessible over the public internet by design.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in the BetterDocs Pro plugin for WordPress, potentially allowing unauthenticated attackers to execute arbitrary PHP code on affected servers. This could lead to unauthorized access to sensitive data or compromise of server controls. The main concern is to confirm if this plugin is in use and whether it is exposed to potential threats.

Plugin flaw allows unauthenticated code execution.
Critical flaw impacts public-facing WordPress sites.
Confirm plugin use and exposure to mitigate risk.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending a specially crafted request to a vulnerable WordPress site. The attacker targets the BetterDocs Pro plugin, specifically manipulating the `doc_style` parameter to point to an arbitrary PHP file on the server. If the site allows the upload and inclusion of PHP files, this could allow the attacker to execute commands, steal data, or bypass security measures.

No authentication required.
Triggered via the `doc_style` parameter.
Leads to arbitrary file inclusion and code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary PHP code on the server when supported by the advisory. This may lead to the compromise of sensitive data or system control.

Sensitive system or user data.
Arbitrary PHP file inclusion.
Full server compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts the BetterDocs Pro WordPress plugin. The primary responsibility for addressing this likely falls to the web application or website owners who manage the WordPress instance, potentially in coordination with their infrastructure or platform teams responsible for the hosting environment. The initial action should be to locate all instances of the affected plugin, confirm their exposure to the internet, and identify the accountable owner for each instance to plan remediation.

Application owners should manage the issue.
Verify plugin reachability and business criticality.
Plan remediation based on identified risk.

Supplementary metadata

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the BetterDocs Pro plugin?

BetterDocs Pro is a WordPress plugin designed to create and manage documentation, knowledge bases, and frequently asked questions for websites. It helps site administrators organize support content and improve user navigation for their visitors.

What does Local File Inclusion mean for CVE-2026-7515?

This vulnerability is classified as CWE-98, or Improper Neutralization of Input During Web Page Generation. In plain terms, it means the plugin fails to properly check user input. An attacker can manipulate the `doc_style` parameter to trick the server into loading and running unauthorized PHP files, essentially allowing them to execute their own code on the site.

How is this vulnerability triggered?

An attacker triggers this by sending a crafted request to the web server that modifies the `doc_style` parameter. The vulnerability does not require any login or special privileges to initiate. It is important to note that simply visiting a site does not trigger the bug; the attacker must intentionally send a specific, malicious request to the vulnerable plugin.

Is my site at risk according to Halo Surface Signal?

Because this flaw affects a WordPress plugin, Halo Surface Signal flags it as a high-priority concern. WordPress sites are frequently deployed as public-facing web applications by design, meaning the `doc_style` parameter is likely accessible to anyone on the internet. If your WordPress site is publicly reachable, you should consider it potentially exposed.

What steps should I take if I use BetterDocs Pro?

First, verify if you are running a version of BetterDocs Pro up to and including 3.8.0. If you are, check your plugin management dashboard to see if an official update is available from the vendor. If an update is not immediately available, you may need to temporarily deactivate the plugin to prevent potential exploitation until a patch can be applied.

References

www.wordfence.com/threat-intel/vulnerabilities/id/694b67d2-7d60-4764-a2…

Written by Nicholas Merritt

Nicholas Merritt is VP of Security Solutions at Halo Security. With more than 25 years across application security, vulnerability prioritization, and offensive security, he helps teams translate threat data into practical exposure validation and remediation focus. He authors Halo Threat Intelligence CVE advisories using Halo Surface Signal and H/A/L/O context to prioritize internet-facing risk.