CVE-2025-12384 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the 'Document Embedder – Embed PDFs, Word, Excel, and Other Files' WordPress plugin developed by bplugins. The vulnerability exists because the plugin fails to verify user authorization in several critical functions: 'bplde_save_document_library', 'bplde_get_all', 'bplde_get_single', and 'bplde_delete_document_library'. These functions manage the creation, retrieval, updating, and deletion of document_library posts, which represent embedded documents such as PDFs, Word, and Excel files. Due to the lack of proper authorization checks, unauthenticated attackers can remotely invoke these functions to manipulate document libraries arbitrarily. This means attackers can upload malicious documents, exfiltrate sensitive embedded files, modify existing content, or delete documents, leading to data loss and potential defacement. The vulnerability affects all versions up to and including 2.0.0 of the plugin. The CVSS 3.1 base score is 8.6, reflecting high severity with network attack vector, no privileges or user interaction required, and impacts on confidentiality (low), integrity (high), and availability (low). No patches or exploits are currently publicly available, but the vulnerability is published and should be considered exploitable given the ease of attack and lack of authentication barriers.

For European organizations, this vulnerability poses significant risks to the confidentiality, integrity, and availability of embedded documents on WordPress websites using the affected plugin. Sensitive corporate documents, internal reports, or client data embedded via this plugin could be exposed or altered by attackers, leading to data breaches, reputational damage, and potential regulatory non-compliance under GDPR. The ability to delete or modify embedded documents can disrupt business operations, especially for organizations relying on these documents for customer interactions or internal workflows. Attackers could also leverage this vulnerability to inject malicious content or links, facilitating further compromise or phishing attacks. Given the widespread use of WordPress in Europe across sectors such as government, education, and commerce, the impact could be broad, affecting both public-facing and internal sites. The lack of authentication requirements lowers the barrier for exploitation, increasing the likelihood of attacks if the vulnerability is not promptly addressed.

1. Immediately audit all WordPress installations for the presence of the 'Document Embedder – Embed PDFs, Word, Excel, and Other Files' plugin and identify affected versions (up to 2.0.0). 2. Disable or uninstall the plugin until an official patch or update addressing CVE-2025-12384 is released by bplugins. 3. Monitor official bplugins channels and WordPress plugin repositories for security updates and apply patches promptly once available. 4. Implement web application firewalls (WAF) with custom rules to detect and block suspicious requests targeting the vulnerable functions, especially those attempting unauthorized document library operations. 5. Conduct regular security reviews of WordPress plugins focusing on authorization controls to prevent similar vulnerabilities. 6. Restrict access to WordPress admin and plugin endpoints via IP whitelisting or VPN where feasible to reduce exposure. 7. Maintain regular backups of WordPress content and embedded documents to enable recovery in case of data loss or tampering. 8. Educate site administrators on the risks of installing unverified plugins and the importance of timely updates.