CVE-2026-4348

Name of the Vulnerable Software and Affected Versions BetterDocs Pro versions prior to 3.7.1

Description The plugin is susceptible to SQL Injection through the get current letter docs and docs sort by letter AJAX actions. The issue occurs because the limit POST parameter is interpolated directly into a SQL query string before being processed by $wpdb->prepare(), which fails to parameterize this specific variable. This allows unauthenticated attackers to append malicious SQL queries to extract sensitive information from the database. This issue is exploitable only if the Encyclopedia feature is enabled in the settings.

Recommendations Update to a version later than 3.7.0. As a temporary mitigation, disable the Encyclopedia feature in the settings to prevent exploitation.