CVE-2026-1389 in Document Embedder Plugin
Summary
by MITRE • 01/28/2026
The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_save_document_library', 'bplde_get_single', and 'bplde_delete_document_library' AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the 'id' parameter.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/29/2026
The Document Embedder plugin for WordPress presents a critical Insecure Direct Object Reference vulnerability that undermines the security model of the platform. This flaw exists in all versions up to and including 2.0.4 and specifically affects three key AJAX endpoints: bplde_save_document_library, bplde_get_single, and bplde_delete_document_library. The vulnerability stems from the plugin's failure to implement proper access control verification when processing user requests through these interfaces. The absence of object reference validation allows malicious actors to manipulate the 'id' parameter to target resources belonging to other users within the document library system.
The technical implementation of this vulnerability enables authenticated attackers with Author-level privileges or higher to bypass normal permission controls that should restrict access to documents created by different users. When an attacker exploits this weakness, they can perform unauthorized operations including reading confidential documents, modifying content created by administrators and other users, and deleting important files from the document library. The vulnerability essentially allows privilege escalation within the plugin's scope, transforming a standard user role into a malicious actor capable of accessing restricted resources. This represents a direct violation of the principle of least privilege and demonstrates poor input validation practices that are commonly classified under CWE-284.
The operational impact of this vulnerability extends beyond simple data access issues and creates significant risks for WordPress installations using the affected plugin. Attackers can potentially access sensitive documents, manipulate content, and cause data integrity issues within the document management system. The vulnerability affects the entire document library ecosystem, making it possible for unauthorized users to compromise the confidentiality and availability of files stored within the plugin's framework. This threat is particularly concerning in environments where administrators store sensitive information in the document library, as it provides a pathway for attackers to access critical data that should remain protected.
Security mitigations for this vulnerability require immediate plugin updates to versions that implement proper access control checks for all affected AJAX endpoints. Organizations should also consider implementing additional monitoring of the affected plugin's AJAX actions to detect potential exploitation attempts. The recommended approach includes validating user permissions before processing requests through the bplde_save_document_library, bplde_get_single, and bplde_delete_document_library endpoints. This aligns with the ATT&CK technique T1078.004 which focuses on valid accounts and credential access through the exploitation of weak access controls. System administrators should also review user permissions and implement role-based access controls to minimize the potential impact of compromised accounts. The vulnerability demonstrates the importance of proper input validation and access control implementation as outlined in the OWASP Top Ten security principles, specifically addressing the risk of insecure direct object references that can lead to unauthorized data access and manipulation.