CVE-2025-12384: 
WordPress vulnerability analysis and mitigation

CVE-2025-12384 affects the Document Embedder WordPress plugin (versions up to 2.0.0), which is designed for embedding PDFs, Word, Excel, and other files. The vulnerability was discovered and disclosed on November 4, 2025, by Wordfence security researchers (Wordfence Intel).

The vulnerability stems from missing authorization checks in multiple plugin functions including 'bpldesavedocumentlibrary', 'bpldegetall', 'bpldegetsingle', and 'bpldedeletedocumentlibrary'. The severity is rated as HIGH with a CVSS v3.1 base score of 8.6 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L). The vulnerability is classified as CWE-862 (Missing Authorization) (NVD, Rapid7).

The vulnerability allows unauthenticated attackers to create, read, update, and delete arbitrary document_library posts. This represents a significant security breach as it enables unauthorized access to and manipulation of document libraries within WordPress installations using the affected plugin (NVD).

Users should update their Document Embedder plugin to a version newer than 2.0.0 when available. Until then, considering the severity of the vulnerability, users should consider disabling the plugin if it's not critical to their operations (NVD).