Home

Description

The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to unauthorized access/modification/loss of data in all versions up to, and including, 2.0.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "bplde_save_document_library", "bplde_get_all", "bplde_get_single", and "bplde_delete_document_library" functions. This makes it possible for unauthenticated attackers to create, read, update, and delete arbitrary document_library posts.

PUBLISHED Reserved 2025-10-28 | Published 2025-11-05 | Updated 2025-11-05 | Assigner Wordfence




HIGH: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

* (semver)
affected

Timeline

2025-10-16:Discovered
2025-10-28:Vendor Notified
2025-11-04:Disclosed

Credits

ohmymex finder

References

www.wordfence.com/...-a4ff-4c6c-91de-c0e5ba78f0da?source=cve

plugins.trac.wordpress.org/...ary%2FInit-DocumentLibrary.php

plugins.trac.wordpress.org/...k%2Fdocument-library-block.php

cve.org (CVE-2025-12384)

nvd.nist.gov (CVE-2025-12384)

Download JSON