CVE-2026-6393

Name of the Vulnerable Software and Affected Versions BetterDocs versions prior to 4.3.12

Description The plugin contains a missing authorization flaw caused by a lack of capability checks in the generate openai content callback() function. The function relies exclusively on a nonce without verifying user permissions. This allows authenticated attackers with subscriber-level access or higher to trigger OpenAI API calls using the site's configured API key and arbitrary prompts, resulting in the unauthorized consumption of the site owner's paid AI API quota.

Recommendations Update to a version later than 4.3.11. As a temporary workaround, restrict access to the generate openai content callback() function to minimize the risk of exploitation.