CVE-2025-12384

CVE-2025-12384 affects the Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress in all versions up to and including 2.0.0. The vulnerability enables unauthorized access, modification, and loss of data due to missing authorization checks in the "bplde_save_document_library", "bplde_get_all", "bplde_get_single", and "bplde_delete_document_library" functions. This allows attackers to create, read, update, and delete arbitrary document_library posts. It is rated with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L) and is associated with CWE-862 (Missing Authorization).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants low-level confidentiality impact by reading document_library posts, high integrity impact through unauthorized creation, updates, and deletions, and low availability impact, potentially disrupting document management on affected WordPress sites.

Mitigation details are available in plugin advisories, including Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/eb7e4e96-a4ff-4c6c-91de-c0e5ba78f0da?source=cve. Patches addressing the authorization checks appear in WordPress plugin trac changesets: https://plugins.trac.wordpress.org/changeset?old=3359820&old_path=document-emberdder%2Ftrunk%2Fdocument-library-block.php&new=&new_path=document-emberdder%2Ftrunk%2Fdocument-library-block.php and https://plugins.trac.wordpress.org/changeset?old=3359820&old_path=document-emberdder%2Ftrunk%2Fincludes%2FDocumentLibrary%2FInit-DocumentLibrary.php&new=&new_path=document-emberdder%2Ftrunk%2Fincludes%2FDocumentLibrary%2FInit-DocumentLibrary.php. Security practitioners should update to a patched version beyond 2.0.0 and review sites using this plugin.