CVE-2025-12384: CWE-862 Missing Authorization in bplugins Document Embedder – Embed PDFs, Word, Excel, and Other Files
The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to unauthorized access/modification/loss of data in all versions up to, and including, 2.0.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "bplde_save_document_library", "bplde_get_all", "bplde_get_single", and "bplde_delete_document_library" functions. This makes it possible for unauthenticated attackers to create, read, update, and delete arbitrary document_library posts.
AI Analysis
Technical Summary
CVE-2025-12384 is a missing authorization vulnerability in the Document Embedder – Embed PDFs, Word, Excel, and Other Files WordPress plugin (versions up to 2.0.0). The plugin fails to verify that users are authorized to perform actions in the functions bplde_save_document_library, bplde_get_all, bplde_get_single, and bplde_delete_document_library. This flaw enables unauthenticated attackers to perform unauthorized create, read, update, and delete operations on document_library posts, potentially leading to data loss or modification.
Potential Impact
An attacker without authentication can manipulate document_library posts arbitrarily, resulting in unauthorized data access, modification, or deletion. This compromises the confidentiality, integrity, and availability of the affected data managed by the plugin. The CVSS score of 8.6 reflects a high impact with network attack vector, no privileges required, and no user interaction needed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the plugin's functionality by limiting user permissions and consider disabling the plugin if not essential. Monitor for updates from the vendor or security advisories for a patch or temporary workaround.
CVE-2025-12384: CWE-862 Missing Authorization in bplugins Document Embedder – Embed PDFs, Word, Excel, and Other Files
Description
The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to unauthorized access/modification/loss of data in all versions up to, and including, 2.0.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "bplde_save_document_library", "bplde_get_all", "bplde_get_single", and "bplde_delete_document_library" functions. This makes it possible for unauthenticated attackers to create, read, update, and delete arbitrary document_library posts.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-12384 is a missing authorization vulnerability in the Document Embedder – Embed PDFs, Word, Excel, and Other Files WordPress plugin (versions up to 2.0.0). The plugin fails to verify that users are authorized to perform actions in the functions bplde_save_document_library, bplde_get_all, bplde_get_single, and bplde_delete_document_library. This flaw enables unauthenticated attackers to perform unauthorized create, read, update, and delete operations on document_library posts, potentially leading to data loss or modification.
Potential Impact
An attacker without authentication can manipulate document_library posts arbitrarily, resulting in unauthorized data access, modification, or deletion. This compromises the confidentiality, integrity, and availability of the affected data managed by the plugin. The CVSS score of 8.6 reflects a high impact with network attack vector, no privileges required, and no user interaction needed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the plugin's functionality by limiting user permissions and consider disabling the plugin if not essential. Monitor for updates from the vendor or security advisories for a patch or temporary workaround.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-10-28T11:35:02.879Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 690af19c063e7c5f011fbd4a
Added to database: 11/5/2025, 6:41:32 AM
Last enriched: 4/9/2026, 9:18:33 AM
Last updated: 5/10/2026, 4:56:23 AM
Views: 185
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.