Unauthenticated SQL Injection in BetterDocs Pro (<= 3.7.0) — urgent guidance for WordPress admins

By Hong Kong Security Expert — 2026-05-07

A high-severity unauthenticated SQL injection vulnerability (CVE-2026-4348) has been publicly disclosed in BetterDocs Pro versions up to and including 3.7.0. The issue has been scored at CVSS 9.3 and is trivially exploitable in many configurations. Because it is unauthenticated, attacks can be performed by anyone on the internet and are likely to be targeted by automated scanning and mass-exploit campaigns.

This briefing explains the technical impact, detection guidance, immediate and longer-term mitigations, secure coding practices plugin developers should follow, and a practical incident response checklist for sites that may already be compromised. The tone is pragmatic and defensive — the objective is to help administrators secure WordPress sites quickly and effectively.

Pourquoi c'est dangereux

SQL injection allows an attacker to manipulate database queries the plugin performs. When unauthenticated, the attacker does not need to be a logged-in user and can attempt exploitation directly against public endpoints. Potential impacts include:

• Extraction of sensitive data (user accounts, emails, password hashes, private posts, API keys).
• Alteration or deletion of data (creating admin accounts, modifying options, deleting content).
• Remote code execution in chained scenarios (for example, injecting data that leads to a file write or command execution via another vulnerability).
• Complete site takeover and lateral movement to other systems that share credentials.

Because the WordPress database holds site configuration and user credentials, SQLi is among the most severe classes of vulnerabilities. Attackers frequently scan for these issues and often weaponize them into mass compromise campaigns.

What you must do immediately

1. Mettez à jour le plugin

   If you run BetterDocs Pro, update to version 3.7.1 or later immediately. This is the only definitive fix. Test the update on a staging environment where possible, but on active sites the risk of leaving the vulnerable version running usually outweighs small update-testing gaps.

2. If you cannot update immediately, apply compensating controls (virtual patching / targeted blocking)

   Deploy rules that target likely exploitation patterns for this issue. Restrict access to the plugin’s endpoints at the webserver or network firewall level (IP allowlist, require authentication via reverse proxy) where feasible. Monitor logs aggressively for suspicious requests (indicators listed below).

3. Faites une sauvegarde

   Snapshot files and the database before you update, then again after cleanup. If you must roll back, you’ll need a clean snapshot. Ensure backups are stored offsite and immutable where possible.

4. Scannez pour des compromissions

   Run malware and file-integrity scans. Look for new admin users, unexpected scheduled tasks (cron jobs), webshells, and modified files. Check the database for suspicious changes (new options, users, unexpected content).

How attackers likely exploit this vulnerability (high-level, defender-focused)

This section avoids step-by-step exploitation instructions. For defenders, it’s important to understand attack vectors so you can detect and block them.

• Cible : public endpoints added by the plugin — REST API routes, admin-ajax handlers, or other HTTP handlers that accept user input.
• Method: craft HTTP requests with specially designed parameter values that are then interpolated unsafely into SQL queries, enabling injection of SQL fragments such as UNION SELECT, boolean conditions, or time-based functions.
• Détection : exploitation attempts typically contain SQL keywords (UNION, SELECT, information_schema) or database functions (SLEEP, BENCHMARK, load_file). They may also insert quotes and comment markers to change query structure.

Because the vulnerability is unauthenticated, attackers can brute-force a range of inputs across many sites; expect high scan noise in your access logs.

Detection: what to look for in logs and monitoring systems

Review access logs, webserver logs, and any WAF or intrusion detection alerts for the following indicators:

• Requests to BetterDocs Pro endpoints with suspicious query strings or POST bodies.
• Presence of SQL tokens in parameters: union, sélectionner, concat, dormir(, banc d'essai(, information_schema, load_file, into outfile.
• SQL comment markers: --, /*, #.
• Long, encoded payloads containing percent-encoding of SQL keywords (e.g., %55%4e%49%4f%4e for “UNION”).
• Time-based testing attempts that deliberately delay the response (e.g., SLEEP(5)), observable as consistent response time increases correlated with suspicious requests.
• Repeated 200 responses to unusual parameter values, followed by later changes to the database (new users, option changes).

Example defensive patterns (use these within your logging, alerting, or WAF rules):

(?i)(\bunion\b.*\bselect\b|\binformation_schema\b|\bload_file\b|\binto\s+outfile\b|\bbenchmark\b|\bsleep\s*\()

(?i)(--|/\*|\#).*(union|select|sleep)

Be careful with wide regexes — tune them to the plugin’s known endpoints to reduce false positives.

Règles WAF et patching virtuel (exemples pratiques)

If you cannot patch immediately, implement rules to block likely exploitation attempts. Apply rules to the specific endpoints used by the plugin whenever possible to reduce impact on legitimate traffic.

Below are defensive patterns you can implement in ModSecurity, nginx + Lua, or other request-filtering layers. These are conceptual examples — adapt and test them for your environment.

ModSecurity (conceptuel)

SecRule REQUEST_URI "@beginsWith /wp-json/betterdocs/" "phase:2,deny,status:403,msg:'SQLi attempt - BetterDocs endpoint',chain"
SecRule ARGS_NAMES|ARGS "(?i)(union.*select|select.*from|information_schema|load_file|into\s+outfile|benchmark\(|sleep\()"

Nginx with Lua (conceptual)

if ngx.re.match(ngx.var.request_uri, "^/wp-json/betterdocs/") then
  for k, v in pairs(ngx.req.get_uri_args()) do
    if ngx.re.find(v, "(?i)(union.*select|information_schema|sleep\\()", "jo") then
      return ngx.exit(403)
    end
  end
end

Other practical rules and controls:

• Block requests containing SQL comment markers combined with UNION/SELECT: (?i)(--|/\*).*?(union|select).
• Rate limit and throttle requests to plugin endpoints to slow mass scans and brute-force attempts.
• Deny requests with suspiciously long encoded payloads to the plugin endpoints.
• Implement allowlists for legitimate automation (trusted IPs, known integrations).
• Test rules on staging before enabling in production to reduce false positives.

Developer guidance: how the plugin should be fixed (secure code practices)

For plugin developers and maintainers, the root cause of SQL injection is unsafe construction of SQL queries. Use these secure patterns:

1. Parameterized queries: Toujours utiliser $wpdb->préparer.

   global $wpdb;
   $sql = $wpdb->prepare( "SELECT * FROM {$wpdb->prefix}betterdocs WHERE id = %d", (int) $id );
   $rows = $wpdb->get_results( $sql );

2. Sanitize and validate input early: Cast numeric values, use filter_var for emails/URLs, and use sanitize_text_field() ou wp_kses_post() for strings as appropriate.
3. Avoid concatenating user input directly into SQL strings: Never build queries by inserting raw user input.
4. Use WordPress APIs where possible: Préférez WP_User_Query, WP_Query, get_posts(), etc., which abstract database access.
5. Vérifications de capacité et nonces : Even for public endpoints, apply strict validation and careful output encoding to reduce attack surface.
6. Escaping for output vs. SQL escaping: Utilisez wp_kses_post/esc_html for output and $wpdb->préparer for SQL.
7. Secure logging: When logging suspicious input, protect logs and avoid leaking sensitive data in production.

A secure patch will replace unprepared queries with prepared statements, add server-side validation, and reinforce endpoint access rules.

Hardening recommendations for WordPress site owners

Adopt a layered defense approach:

• Inventory and prioritize: Maintain an inventory of installed plugins and versions. Prioritize updates for plugins exposed to unauthenticated HTTP endpoints.
• Principe du moindre privilège : Ensure the database user used by WordPress has the least privileges required. Avoid granting FILE or superuser privileges to the DB account used by the web app.
• File integrity and monitoring: Monitor file changes and set alerts for modified core files, suspicious new files, or changes in wp-config.php.
• Segmentation : If you host many sites, avoid using the same database user/password across multiple sites; isolate each site where possible.
• Backups and recovery practice: Maintain recent, tested backups. Store at least one offsite and immutable backup.
• Logging & retention: Keep web and application logs for forensic analysis — ideally at least 90 days for high-impact systems.
• Défense en profondeur : Use targeted request filtering, rate limiting, and intrusion detection in addition to plugin updates.

Indicators of compromise (IOC): search these in your environment

Si vous soupçonnez une exploitation, vérifiez :

• New administrator accounts: search wp_users for users with elevated capabilities added recently.
• Entrées inattendues dans wp_options (unknown settings, cron schedules).
• Files with suspicious names or executable PHP code in uploads or core directories.
• Outbound network connections from the server you don’t expect (reverse shells, malicious beacons).
• Database dumps exported or unusual database traffic spikes with SELECTs referencing information_schema.

Example query to find recent users added (adjust interval as necessary):

SELECT ID, user_login, user_email, user_registered FROM wp_users WHERE user_registered >= DATE_SUB(NOW(), INTERVAL 7 DAY);

If your site is compromised — incident response checklist

1. Isoler le site : Put the site behind maintenance mode or take it offline to stop further damage.
2. Préserver les preuves : Snapshot the filesystem and database immediately. Preserve logs (webserver, PHP, WAF) with timestamps.
3. Identifiez la portée : Determine when and how the compromise occurred—accounts, files, and whether other sites/hosting accounts were impacted.
4. Remove webshells and backdoors: Search for PHP files containing eval, base64_decode, gzuncompress, or suspicious code. Preserve copies before removal for analysis.
5. Faire tourner les identifiants : Reset WordPress admin passwords, database user passwords, API keys, and hosting control panel credentials.
6. Nettoyer ou restaurer : Restore from a known clean backup if possible. If cleaning manually, ensure all backdoors are removed and re-scan.
7. Renforcer : Apply updates (including the BetterDocs Pro patch), deploy request-filtering rules, and review file permissions.
8. Rétablissez la confiance : If credentials were stolen, notify affected users and rotate any affected secrets.
9. Post-mortem : Document the incident, root cause, remediation steps, and changes to prevent recurrence.

If you need professional remediation help, work with your hosting provider or a trusted security professional who can perform a full forensic analysis.

Testing your defenses (safe methods)

• Use a staging environment to test updates and request-filtering rules.
• Validate that rules do not block legitimate behavior: log normal user flows (searching docs, REST API calls) and confirm they still work.
• Use monitoring mode for detection rules first to identify false positives before blocking.
• Use time-based detection tests that do not trigger exploits; do not test live exploits on production sites without explicit permission and careful safeguards.

Sample logs and suspicious request patterns (defensive examples)

• Example suspicious URI:

  GET /wp-json/betterdocs/v1/search?q=1' UNION SELECT 1,@@version--

• Encoded attempt:

  GET /?search=%27%20UNION%20SELECT%201,version()

• Time-based test pattern:

  POST /wp-admin/admin-ajax.php?action=betterdocs_search
  body: ... sleep(5) ...

Why patching alone might not be enough

Patching is the definitive fix, but attackers often scan and exploit sites immediately after public disclosure. If you have publicly accessible endpoints and do not patch quickly, you are at high risk. If an attacker succeeded before you patched, simply updating will not remove persisted backdoors or any data exfiltration that has already occurred. Combine patching with auditing and remediation: update, audit, and clean.

For hosting providers and agencies: scalable mitigation approach

• Implement temporary virtual patching across hosted sites until customers update plugins.
• Provide customers with scheduled maintenance windows to push critical updates.
• Monitor and isolate hosts that perform noisy scanning behavior.
• Offer managed scanning and remediation for customers who cannot apply updates themselves.

Developer notes: testing and verification after patch

• Tests unitaires : Add tests for database interaction functions to assert they use prepared statements.
• Fuzzing and static analysis: Integrate static analysis tools to identify unprepared SQL strings and run automated fuzzing on endpoints.
• Revue de code : Add mandatory security review sign-off for endpoints that accept public input.

Questions fréquemment posées (FAQ)

Q: I updated to 3.7.1. Do I still need to do anything else?

A: Yes. Updating removes the vulnerability from the plugin code, but you should still scan your site for indicators of compromise (new users, suspicious files, DB changes) to ensure no prior exploitation occurred. Rotate secrets and review logs around the time of disclosure.

Q: I can’t update due to customizations — what do I do?

A: Apply targeted request-filtering rules and restrict access to the plugin endpoints at the webserver level until you can upgrade or refactor custom code. Maintain a staging environment where you can test and port customizations into the patched version.

Q: How can I reduce the chance of similar issues in the future?

A: Enforce secure development practices (parameterized queries, input validation), maintain plugin inventory and update cadence, and deploy layered defenses (request filtering + monitoring + backups).

Notes finales des experts en sécurité de Hong Kong

This vulnerability underscores how quickly unauthenticated bugs can lead to serious compromises. The appropriate response is rapid patching combined with focused virtual patching or request-filtering, thorough incident response, and improved secure development practices. For third-party plugins with public endpoints—such as BetterDocs Pro—assume they are attractive to attackers and apply a layered strategy: keep plugins updated, deploy targeted request-filtering rules, and maintain comprehensive logging and backups.

If you require assistance implementing any recommendations (request-filtering rules, log searches, incident response guidance), engage an experienced security professional or your hosting provider for hands-on remediation.

Appendix — quick checklist (printable)

Restez vigilant,
Expert en sécurité de Hong Kong