CVE-2025-12384
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
05/11/2025
Last modified:
06/11/2025
Description
The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to unauthorized access/modification/loss of data in all versions up to, and including, 2.0.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "bplde_save_document_library", "bplde_get_all", "bplde_get_single", and "bplde_delete_document_library" functions. This makes it possible for unauthenticated attackers to create, read, update, and delete arbitrary document_library posts.
Impact
Base Score 3.x
8.60
Severity 3.x
HIGH
References to Advisories, Solutions, and Tools
- https://plugins.trac.wordpress.org/changeset?old=3359820&old_path=document-emberdder/trunk/document-library-block.php&new=&new_path=document-emberdder/trunk/document-library-block.php
- https://plugins.trac.wordpress.org/changeset?old=3359820&old_path=document-emberdder/trunk/includes/DocumentLibrary/Init-DocumentLibrary.php&new=&new_path=document-emberdder/trunk/includes/DocumentLibrary/Init-DocumentLibrary.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/eb7e4e96-a4ff-4c6c-91de-c0e5ba78f0da?source=cve