The Document Embedder plugin for WordPress, developed by bplugins, suffers from a missing authorization vulnerability (CWE-862) identified as CVE-2025-12384. This vulnerability exists in all versions up to and including 2.0.0. The root cause is the plugin's failure to verify whether a user is authorized to perform sensitive actions within the functions 'bplde_save_document_library', 'bplde_get_all', 'bplde_get_single', and 'bplde_delete_document_library'. These functions manage document_library posts, which represent embedded documents such as PDFs, Word, and Excel files. Due to the lack of proper authorization checks, an unauthenticated attacker can remotely invoke these functions to create new document_library posts, retrieve existing ones, modify content, or delete them entirely. This unauthorized access can lead to data integrity compromise, unauthorized disclosure of embedded documents, and potential data loss. The vulnerability requires no privileges or user interaction and can be exploited over the network, increasing its severity. The CVSS v3.1 base score of 8.6 reflects the vulnerability's high impact on integrity, moderate impact on confidentiality and availability, and its ease of exploitation. No patches or fixes were listed at the time of disclosure, and no known exploits have been reported in the wild. Given the widespread use of WordPress and the popularity of document embedding plugins, this vulnerability poses a significant risk to websites relying on this plugin for document management and display.

The impact of CVE-2025-12384 is significant for organizations using the affected Document Embedder plugin on WordPress sites. Attackers can gain unauthorized access to embedded documents, potentially exposing sensitive or confidential information. They can also modify or delete document_library posts, leading to data integrity issues and loss of critical embedded content. This can disrupt business operations, damage reputation, and cause compliance violations if sensitive data is exposed or altered. Since exploitation requires no authentication or user interaction, the attack surface is broad, allowing remote attackers to target vulnerable sites en masse. Organizations relying on this plugin for document management, especially those embedding sensitive corporate, financial, or personal documents, face elevated risks. The vulnerability could also be leveraged as a foothold for further attacks, such as injecting malicious content or conducting phishing campaigns using compromised document embeds. The lack of known exploits in the wild currently limits immediate widespread impact, but the high CVSS score and ease of exploitation indicate a strong potential for future attacks.

To mitigate CVE-2025-12384, organizations should immediately assess whether their WordPress sites use the Document Embedder plugin by bplugins and identify the plugin version. Since no official patch links were provided at disclosure, administrators should monitor the vendor's site and trusted WordPress plugin repositories for updates or security patches addressing this vulnerability. In the interim, restrict access to the WordPress admin and plugin endpoints using web application firewalls (WAFs) or access control lists (ACLs) to limit exposure to unauthenticated requests targeting the vulnerable functions. Implement strict network-level filtering to block suspicious requests attempting to invoke 'bplde_save_document_library', 'bplde_get_all', 'bplde_get_single', and 'bplde_delete_document_library' functions. Consider disabling or removing the plugin if it is not essential to reduce attack surface. Regularly audit document_library posts for unauthorized changes or suspicious activity. Employ monitoring and alerting on unusual API calls or document modifications. Finally, educate site administrators about the risk and encourage prompt application of any forthcoming patches.