Vulnerabilities and security researches fordocument-emberdder document-emberdder

Apr 15, 2026

CVE, Research URL: CVE-2026-1389
Home page URL: Security reports for Document Embedder
Application: Document Embedder
Date: Jan 28, 2026
Research Description: The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_save_document_library', 'bplde_get_single', and 'bplde_delete_document_library' AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the 'id' parameter.
Affected versions: max 2.0.5.
Status: vulnerable

Nov 11, 2025

CVE, Research URL: CVE-2025-12384
Home page URL: Security reports for Document Embedder
Application: Document Embedder
Date: Nov 05, 2025
Research Description: The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to unauthorized access/modification/loss of data in all versions up to, and including, 2.0.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "bplde_save_document_library", "bplde_get_all", "bplde_get_single", and "bplde_delete_document_library" functions. This makes it possible for unauthenticated attackers to create, read, update, and delete arbitrary document_library posts.
Affected versions: max 2.0.1.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2021-24868
Home page URL: Security reports for Document Embedder
Application: Document Embedder
Date: Feb 01, 2022
Research Description: The Document Embedder WordPress plugin before 1.7.9 contains a AJAX action endpoint, which could allow any authenticated user, such as subscriber to enumerate the title of arbitrary private and draft posts.
Affected versions: max 1.7.9.
Status: vulnerable

CVE, Research URL: CVE-2021-24775
Home page URL: Security reports for Document Embedder
Application: Document Embedder
Date: Feb 01, 2022
Research Description: The Document Embedder WordPress plugin before 1.7.5 contains a REST endpoint, which could allow unauthenticated users to enumerate the title of arbitrary private and draft posts.
Affected versions: max 1.7.6.
Status: vulnerable