CVE-2026-7515
published 2026-06-19CVE-2026-7515: The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style` parameter. This makes…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.89%
54.7th percentile
The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style` parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| authlib | authlib | >= 0 < 1.6.9 | 1.6.9 |
| betterdocs | betterdocs_pro | <= 3.8.0 | — |
| nearform | fast-jwt | 0 – 6.1.0 | — |
| pyjwt_project | pyjwt | >= 0 < 2.12.0 | 2.12.0 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa7.5HIGH
vulncheck9.8CRITICAL
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style` parameter.
ghsa_unreviewed·2026-06-19
CVE-2026-7515 [CRITICAL] CWE-98 The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style` parameter.
The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style` parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
GHSA
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation)
ghsa·2026-04-03·CVSS 7.5
CVE-2026-35042 [HIGH] CWE-345 fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation)
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation)
## Summary
`fast-jwt` does not validate the `crit` (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a `crit` array listing extensions that `fast-jwt` does not understand, the library accepts the token instead of rejecting it. This violates the **MUST** requirement in the RFC.
---
## RFC Requirement
RFC 7515 §4.1.11:
> If any of the listed extension Header Parameters are **not understood
> and supported** by the recipient, then the **JWS is invalid**.
---
## Proof of Concept
```javascript
const { createSigner, createVerifier } = require("fast-jwt"); // v3.3.3
const signer = createSigner({ key: "secret", algorithm: "HS256" });
const token = signer({
sub: "attacker",
role: "admin
GHSA
Authlib JWS JWK Header Injection: Signature Verification Bypass
ghsa·2026-03-16
CVE-2026-27962 [CRITICAL] CWE-347 Authlib JWS JWK Header Injection: Signature Verification Bypass
Authlib JWS JWK Header Injection: Signature Verification Bypass
## Description
### Summary
A JWK Header Injection vulnerability in `authlib`'s JWS implementation allows an unauthenticated
attacker to forge arbitrary JWT tokens that pass signature verification. When `key=None` is passed
to any JWS deserialization function, the library extracts and uses the cryptographic key embedded
in the attacker-controlled JWT `jwk` header field. An attacker can sign a token with their own
private key, embed the matching public key in the header, and have the server accept the forged
token as cryptographically valid — bypassing authentication and authorization entirely.
This behavior violates **RFC 7515 §4.1.3** and the validation algorithm defined in **RFC 7515 §5.2**.
### Details
**Vulnerable fil
GHSA
PyJWT accepts unknown `crit` header extensions
ghsa·2026-03-13·CVSS 7.5
CVE-2026-32597 [HIGH] CWE-345 PyJWT accepts unknown `crit` header extensions
PyJWT accepts unknown `crit` header extensions
## Summary
PyJWT does not validate the `crit` (Critical) Header Parameter defined in
RFC 7515 §4.1.11. When a JWS token contains a `crit` array listing
extensions that PyJWT does not understand, the library accepts the token
instead of rejecting it. This violates the **MUST** requirement in the RFC.
This is the same class of vulnerability as CVE-2025-59420 (Authlib),
which received CVSS 7.5 (HIGH).
---
## RFC Requirement
RFC 7515 §4.1.11:
> The "crit" (Critical) Header Parameter indicates that extensions to this
> specification and/or [JWA] are being used that **MUST** be understood and
> processed. [...] If any of the listed extension Header Parameters are
> **not understood and supported** by the recipient, then the **JWS is invalid**
VulnCheck
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
vulncheck·2026·CVSS 9.8
CVE-2026-7515 [CRITICAL] Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style` parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/wordpress/
Red Hat
pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
vendor_redhat·2026-03-12·CVSS 7.5
CVE-2026-32597 [HIGH] CWE-347 pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.
A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requ
No detection rules found.
No public exploits indexed.
2026-06-19
Published
Exploited in the wild