CVE-2026-1389

MEDIUM 4.3

Document Embedder <= 2.0.4 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Document Library Entry Deletion

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

0th

The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_save_document_library', 'bplde_get_single', and 'bplde_delete_document_library' AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the 'id' parameter.

CWE	CWE-639
Vendor	bplugins
Product	document embedder – embed pdfs, word, excel, and other files
Published	Jan 28, 2026
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for bplugins document embedder – embed pdfs, word, excel, and other files

Be the first to know when new medium vulnerabilities affecting bplugins document embedder – embed pdfs, word, excel, and other files are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

bplugins / Document Embedder – Embed PDFs, Word, Excel, and Other Files

0 ≤ 2.0.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

Credits

Itthidej Aramsri