How is CVE-2026-7515 exploited?

Network reachability (required): The vulnerable parameter is exposed over the network, so the attacker must be able to send HTTP requests to the WordPress site. Authentication (not-required): No account or session token is needed; the attack can be launched by any unauthenticated HTTP client. Victim interaction (not-required): The attacker does not need to trick any user into taking an action; the exploit is fully self-contained. Attack complexity (info): Exploitation is reliable and condition-free: no race conditions, memory-layout knowledge, or environmental dependencies are required to trigger the file inclusion.

What is the impact of CVE-2026-7515?

Attacker executes arbitrary PHP code on the server, enabling full remote code execution and effective host compromise. Attacker reads any file accessible to the web-server process, including WordPress configuration files containing database credentials and secret keys. Attacker writes or modifies data by leveraging code execution, including altering database records, creating backdoor accounts, or defacing site content. Attacker crashes or destabilizes the WordPress service by executing resource-exhausting or destructive PHP payloads.

Back to search

CRITICALCVE-2026-7515Published 2026-06-19Modified 2026-06-19CNA Wordfence

CVE-2026-7515: BetterDocs Pro <= 3.8.0 - Unauthenticated Local File Inclusion via doc_style

Q: What is CVE-2026-7515?

Local File Inclusion in the BetterDocs Pro WordPress plugin (versions up to and including 3.8.0) allows an unauthenticated remote attacker to supply a crafted value to the `doc_style` parameter, causing the server to load and execute an arbitrary PHP file. No login or user interaction is required; the attacker only needs network access to the WordPress site. Successful exploitation enables full remote code execution, access-control bypass, and disclosure of sensitive server data. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as upstream ships a remediated release.

Q: Is CVE-2026-7515 patched?

Because no upstream fix has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated version of BetterDocs Pro is released. In the interim, customers can use HarborGuard's policy controls to flag or block deployment of any image carrying the vulnerable plugin version.

The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style` parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Local File Inclusion in the BetterDocs Pro WordPress plugin (versions up to and including 3.8.0) allows an unauthenticated remote attacker to supply a crafted value to the `doc_style` parameter, causing the server to load and execute an arbitrary PHP file. No login or user interaction is required; the attacker only needs network access to the WordPress site. Successful exploitation enables full remote code execution, access-control bypass, and disclosure of sensitive server data. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as upstream ships a remediated release.

HarborGuard Coverage

Detection

Detection for CVE-2026-7515 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Wordfence and the NVD) within minutes of publication and matched against customer images, including custom-built WordPress images that bundle BetterDocs Pro. Any image carrying an affected version of the plugin is flagged automatically.

Available

Triage

Triage is available using the CVSS v3.1 base score of 9.8 (Critical), weighted against each customer organization's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within the customer org based on configured ownership rules for the affected image or workload.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated version of BetterDocs Pro is released. In the interim, customers can use HarborGuard's policy controls to flag or block deployment of any image carrying the vulnerable plugin version.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable parameter is exposed over the network, so the attacker must be able to send HTTP requests to the WordPress site.
AuthenticationNot required
No account or session token is needed; the attack can be launched by any unauthenticated HTTP client.
Victim interactionNot required
The attacker does not need to trick any user into taking an action; the exploit is fully self-contained.
Attack complexityDetail
Exploitation is reliable and condition-free: no race conditions, memory-layout knowledge, or environmental dependencies are required to trigger the file inclusion.

Blast Radius

Attacker executes arbitrary PHP code on the server, enabling full remote code execution and effective host compromise.
Attacker reads any file accessible to the web-server process, including WordPress configuration files containing database credentials and secret keys.
Attacker writes or modifies data by leveraging code execution, including altering database records, creating backdoor accounts, or defacing site content.
Attacker crashes or destabilizes the WordPress service by executing resource-exhausting or destructive PHP payloads.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of this advisory through every ingest cycle, with automatic re-evaluation the moment Wordfence or the upstream maintainer publishes a fix. Because no patched version exists today, customers running images that include BetterDocs Pro <= 3.8.0 are advised to apply compensating controls: use HarborGuard network-policy templates to restrict inbound HTTP access to the WordPress admin surface, enable egress filtering on affected pods to limit post-exploitation reach, and consider disabling or removing the plugin from the image build entirely until a fix is available. For customers with auto-remediation enabled, a rebuilt image and a PR opened against affected workloads will be generated automatically as soon as an upstream fix version is published, with no manual intervention required.

See how HarborGuard automates this

Affected packages

betterdocs / BetterDocs Pro
≤ 3.8.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified