Impact statement: CVE-2026-4348 affects BetterDocs Pro for WordPress through version 3.7.0. Wordfence rates it high severity and Patchstack scores it as high priority because unauthenticated visitors may be able to make the plugin expose sensitive database information when the affected documentation feature is enabled.
This is a protect-only guide. We are not publishing attack steps, scanner-ready checks, or test instructions. The safe answer is to update BetterDocs Pro to 3.7.1 or newer, confirm the version, reduce public exposure until patched, and review the site for suspicious users, changed content, and unusual database or application activity.
Who Is Affected
- WordPress sites running BetterDocs Pro version 3.7.0 or older.
- Sites using the BetterDocs Pro documentation encyclopedia feature.
- Agency, SaaS, LMS, support, and knowledge-base sites where public visitors can browse documentation.
- cPanel, WHM, Plesk, DirectAdmin, and managed WordPress providers hosting customer sites with premium plugins that are not always visible in standard WordPress.org update channels.
The vulnerability is tied to BetterDocs Pro, not WordPress core. A site can still be fully patched at the WordPress core level and remain exposed if this premium plugin is old.
Patch First
Update BetterDocs Pro to 3.7.1 or newer. If the update does not appear in the dashboard, use the vendor license, vendor package, agency deployment workflow, or hosting support path. Premium plugin updates often depend on a license connection, so do not assume a normal WordPress update scan caught it.
wp plugin list --fields=name,version,status | grep -i 'betterdocs' || true
wp plugin update betterdocs betterdocs-pro 2>/dev/null || true
wp plugin list --fields=name,version,status | grep -i 'betterdocs' || true
If WP-CLI cannot update the pro plugin, complete the update through the BetterDocs account or your agency/plugin management tool, then rerun the version check. The target is BetterDocs Pro 3.7.1 or newer.
Temporary Protection If You Cannot Patch Today
- Disable the affected BetterDocs Pro feature until the plugin is updated.
- If the documentation area is not business-critical, temporarily restrict public access to those pages.
- Place the site behind a WAF or hosting security rule set that can block suspicious database-injection patterns.
- Disable or remove unused documentation add-ons and old staging copies.
- Back up the site and database before making plugin or cleanup changes.
A WAF can reduce noise and buy time, but it is not a replacement for updating the plugin. Treat the virtual patch as temporary shielding while you get the code fixed.
Safe Review Checklist
After patching, review for signs that the site was probed or abused. Keep the review defensive: look for unexpected admins, changed documentation content, unusual export activity, suspicious database errors, and unfamiliar files. Do not run public exploit tests against production sites.
wp core version
wp plugin list --fields=name,version,status | grep -i 'betterdocs' || true
wp user list --fields=ID,user_login,roles,user_registered | head
wp option get home
wp option get siteurl
On cPanel or WHM-hosted sites, also review the account-level malware scanner, recent access logs, unexpected PHP files in upload/cache locations, and recent database backup timestamps. If the site stores customer tickets, private docs, lead data, or internal support content, treat the review as a data-exposure triage.
Hosting Provider Checklist
- Inventory BetterDocs and BetterDocs Pro across managed WordPress accounts.
- Prioritize public knowledge-base, support portal, LMS, SaaS help center, and membership sites.
- Notify customers that BetterDocs Pro 3.7.0 and older should be updated to 3.7.1 or newer.
- Run malware and integrity scans after the update for sites with exposed documentation areas.
- Apply temporary WAF shielding while customer sites are still pending updates.
- Document customer approvals when premium plugin licenses require owner action.
What To Tell Customers
Tell customers that a high-priority BetterDocs Pro security update is available, that version 3.7.1 or newer closes the issue, and that older installs should be updated immediately. If the site uses BetterDocs for public help docs, support content, product documentation, or customer-facing knowledge bases, recommend a short post-update review for unusual users, content changes, and suspicious logs.