CVE-2026-1389

The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_save_document_library', 'bplde_get_single', and 'bplde_delete_document_library' AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the 'id' parameter.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L103
https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L159
https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L66
https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.5/includes/DocumentLibrary/Init-DocumentLibrary.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/59d14f6c-6286-454c-8629-96a0c2de943c?source=cve

Configurations

No configuration.

History

No history.

Information

Published : 2026-01-28 08:16

Updated : 2026-01-29 16:31

NVD link : CVE-2026-1389

Mitre link : CVE-2026-1389

CVE.ORG link : CVE-2026-1389

JSON object : View

Products Affected

No product.

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-1389", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-01-28T08:16:03.400", "references": [{"url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L103", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L159", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L66", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.5/includes/DocumentLibrary/Init-DocumentLibrary.php", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59d14f6c-6286-454c-8629-96a0c2de943c?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "The Document Embedder \u2013 Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_save_document_library', 'bplde_get_single', and 'bplde_delete_document_library' AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the 'id' parameter."}], "lastModified": "2026-01-29T16:31:35.700", "sourceIdentifier": "security@wordfence.com"}