Description
The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_save_document_library', 'bplde_get_single', and 'bplde_delete_document_library' AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the 'id' parameter.
Published: 2026-01-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data tampering and deletion of document library entries by users with Author or higher roles
Action: Patch Update
AI Analysis

Impact

The plugin fails to verify user permissions when handling AJAX actions that save, fetch, or delete document library items. An attacker who is logged in with Author or higher roles can supply the 'id' parameter to read, modify, or delete any entry created by other users, including administrators. This vulnerability compromises the integrity of the document library, leading to accidental or malicious data loss, and can undermine trust in the platform. The nature of the flaw is an insecure direct object reference (CWE‑639).

Affected Systems

Affected products include the WordPress plugin Document Embedder – Embed PDFs, Word, Excel, and Other Files. Versions up to 2.0.4 are vulnerable; version 2.0.5 and later contain the fix. Any site running the plugin in those versions is at risk. No other versions are mentioned.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with at least Author privileges, and the attacker must perform an HTTP request to the protected AJAX endpoints with a crafted 'id' parameter. Because only users who can access the plugin's UI can trigger the AJAX calls, the attack surface is limited to sites with many elevated users.

Generated by OpenCVE AI on April 15, 2026 at 19:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Document Embedder plugin to version 2.0.5 or newer, where proper permission checks are implemented.
  • Restrict the Author role to the minimum necessary capabilities and consider removing delete privileges from non-admin users.
  • As a temporary safeguard, disable or limit the 'bplde_delete_document_library' AJAX action for non-admin users by modifying the site’s functions.php or a security plugin.

Generated by OpenCVE AI on April 15, 2026 at 19:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Bplugins
Bplugins document Embedder
Wordpress
Wordpress wordpress
Vendors & Products Bplugins
Bplugins document Embedder
Wordpress
Wordpress wordpress

Wed, 28 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_save_document_library', 'bplde_get_single', and 'bplde_delete_document_library' AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the 'id' parameter.
Title Document Embedder <= 2.0.4 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Document Library Entry Deletion
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Bplugins Document Embedder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:54:55.705Z

Reserved: 2026-01-23T20:51:53.837Z

Link: CVE-2026-1389

cve-icon Vulnrichment

Updated: 2026-01-28T14:45:39.450Z

cve-icon NVD

Status : Deferred

Published: 2026-01-28T08:16:03.400

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1389

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:00:12Z

Weaknesses