Search criteria
4 vulnerabilities found for Document Embedder – Embed PDFs, Word, Excel, and Other Files by bplugins
CVE-2026-1389 (GCVE-0-2026-1389)
Vulnerability from nvd – Published: 2026-01-28 07:27 – Updated: 2026-01-28 14:45
VLAI?
Title
Document Embedder <= 2.0.4 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Document Library Entry Deletion
Summary
The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_save_document_library', 'bplde_get_single', and 'bplde_delete_document_library' AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the 'id' parameter.
Severity ?
5.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bplugins | Document Embedder – Embed PDFs, Word, Excel, and Other Files |
Affected:
* , ≤ 2.0.4
(semver)
|
Credits
Itthidej Aramsri
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1389",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T14:45:32.505700Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:45:49.405Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Document Embedder \u2013 Embed PDFs, Word, Excel, and Other Files",
"vendor": "bplugins",
"versions": [
{
"lessThanOrEqual": "2.0.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Document Embedder \u2013 Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the \u0027bplde_save_document_library\u0027, \u0027bplde_get_single\u0027, and \u0027bplde_delete_document_library\u0027 AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the \u0027id\u0027 parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T07:27:34.729Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59d14f6c-6286-454c-8629-96a0c2de943c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L66"
},
{
"url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L103"
},
{
"url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L159"
},
{
"url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.5/includes/DocumentLibrary/Init-DocumentLibrary.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-23T21:07:02.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-27T19:18:50.000+00:00",
"value": "Disclosed"
}
],
"title": "Document Embedder \u003c= 2.0.4 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Document Library Entry Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1389",
"datePublished": "2026-01-28T07:27:34.729Z",
"dateReserved": "2026-01-23T20:51:53.837Z",
"dateUpdated": "2026-01-28T14:45:49.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12384 (GCVE-0-2025-12384)
Vulnerability from nvd – Published: 2025-11-05 06:35 – Updated: 2025-11-05 14:22
VLAI?
Title
Document Embedder – Embed PDFs, Word, Excel, and Other Files <= 2.0.0 - Missing Authorization to Unauthenticated Document Manipulation
Summary
The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to unauthorized access/modification/loss of data in all versions up to, and including, 2.0.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "bplde_save_document_library", "bplde_get_all", "bplde_get_single", and "bplde_delete_document_library" functions. This makes it possible for unauthenticated attackers to create, read, update, and delete arbitrary document_library posts.
Severity ?
8.6 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bplugins | Document Embedder – Embed PDFs, Word, Excel, and Other Files |
Affected:
* , ≤ 2.0.0
(semver)
|
Credits
ohmymex
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T14:22:25.201758Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T14:22:37.337Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Document Embedder \u2013 Embed PDFs, Word, Excel, and Other Files",
"vendor": "bplugins",
"versions": [
{
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ohmymex"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Document Embedder \u2013 Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to unauthorized access/modification/loss of data in all versions up to, and including, 2.0.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the \"bplde_save_document_library\", \"bplde_get_all\", \"bplde_get_single\", and \"bplde_delete_document_library\" functions. This makes it possible for unauthenticated attackers to create, read, update, and delete arbitrary document_library posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T06:35:02.300Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eb7e4e96-a4ff-4c6c-91de-c0e5ba78f0da?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old=3359820\u0026old_path=document-emberdder%2Ftrunk%2Fincludes%2FDocumentLibrary%2FInit-DocumentLibrary.php\u0026new=\u0026new_path=document-emberdder%2Ftrunk%2Fincludes%2FDocumentLibrary%2FInit-DocumentLibrary.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old=3359820\u0026old_path=document-emberdder%2Ftrunk%2Fdocument-library-block.php\u0026new=\u0026new_path=document-emberdder%2Ftrunk%2Fdocument-library-block.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-16T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-10-28T11:53:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-04T17:38:20.000+00:00",
"value": "Disclosed"
}
],
"title": "Document Embedder \u2013 Embed PDFs, Word, Excel, and Other Files \u003c= 2.0.0 - Missing Authorization to Unauthenticated Document Manipulation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12384",
"datePublished": "2025-11-05T06:35:02.300Z",
"dateReserved": "2025-10-28T11:35:02.879Z",
"dateUpdated": "2025-11-05T14:22:37.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1389 (GCVE-0-2026-1389)
Vulnerability from cvelistv5 – Published: 2026-01-28 07:27 – Updated: 2026-01-28 14:45
VLAI?
Title
Document Embedder <= 2.0.4 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Document Library Entry Deletion
Summary
The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_save_document_library', 'bplde_get_single', and 'bplde_delete_document_library' AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the 'id' parameter.
Severity ?
5.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bplugins | Document Embedder – Embed PDFs, Word, Excel, and Other Files |
Affected:
* , ≤ 2.0.4
(semver)
|
Credits
Itthidej Aramsri
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1389",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T14:45:32.505700Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:45:49.405Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Document Embedder \u2013 Embed PDFs, Word, Excel, and Other Files",
"vendor": "bplugins",
"versions": [
{
"lessThanOrEqual": "2.0.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Document Embedder \u2013 Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the \u0027bplde_save_document_library\u0027, \u0027bplde_get_single\u0027, and \u0027bplde_delete_document_library\u0027 AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the \u0027id\u0027 parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T07:27:34.729Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59d14f6c-6286-454c-8629-96a0c2de943c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L66"
},
{
"url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L103"
},
{
"url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L159"
},
{
"url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.5/includes/DocumentLibrary/Init-DocumentLibrary.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-23T21:07:02.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-27T19:18:50.000+00:00",
"value": "Disclosed"
}
],
"title": "Document Embedder \u003c= 2.0.4 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Document Library Entry Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1389",
"datePublished": "2026-01-28T07:27:34.729Z",
"dateReserved": "2026-01-23T20:51:53.837Z",
"dateUpdated": "2026-01-28T14:45:49.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12384 (GCVE-0-2025-12384)
Vulnerability from cvelistv5 – Published: 2025-11-05 06:35 – Updated: 2025-11-05 14:22
VLAI?
Title
Document Embedder – Embed PDFs, Word, Excel, and Other Files <= 2.0.0 - Missing Authorization to Unauthenticated Document Manipulation
Summary
The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to unauthorized access/modification/loss of data in all versions up to, and including, 2.0.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "bplde_save_document_library", "bplde_get_all", "bplde_get_single", and "bplde_delete_document_library" functions. This makes it possible for unauthenticated attackers to create, read, update, and delete arbitrary document_library posts.
Severity ?
8.6 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bplugins | Document Embedder – Embed PDFs, Word, Excel, and Other Files |
Affected:
* , ≤ 2.0.0
(semver)
|
Credits
ohmymex
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T14:22:25.201758Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T14:22:37.337Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Document Embedder \u2013 Embed PDFs, Word, Excel, and Other Files",
"vendor": "bplugins",
"versions": [
{
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ohmymex"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Document Embedder \u2013 Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to unauthorized access/modification/loss of data in all versions up to, and including, 2.0.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the \"bplde_save_document_library\", \"bplde_get_all\", \"bplde_get_single\", and \"bplde_delete_document_library\" functions. This makes it possible for unauthenticated attackers to create, read, update, and delete arbitrary document_library posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T06:35:02.300Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eb7e4e96-a4ff-4c6c-91de-c0e5ba78f0da?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old=3359820\u0026old_path=document-emberdder%2Ftrunk%2Fincludes%2FDocumentLibrary%2FInit-DocumentLibrary.php\u0026new=\u0026new_path=document-emberdder%2Ftrunk%2Fincludes%2FDocumentLibrary%2FInit-DocumentLibrary.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old=3359820\u0026old_path=document-emberdder%2Ftrunk%2Fdocument-library-block.php\u0026new=\u0026new_path=document-emberdder%2Ftrunk%2Fdocument-library-block.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-16T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-10-28T11:53:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-04T17:38:20.000+00:00",
"value": "Disclosed"
}
],
"title": "Document Embedder \u2013 Embed PDFs, Word, Excel, and Other Files \u003c= 2.0.0 - Missing Authorization to Unauthenticated Document Manipulation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12384",
"datePublished": "2025-11-05T06:35:02.300Z",
"dateReserved": "2025-10-28T11:35:02.879Z",
"dateUpdated": "2025-11-05T14:22:37.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}