Document Embedder < 2.0.5 – Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Document Library Entry Deletion | CVE 2026-1389 | Plugin Vulnerabilities

Description

The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_save_document_library', 'bplde_get_single', and 'bplde_delete_document_library' AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the 'id' parameter.

Affects Plugins

document-emberdder

Fixed in 2.0.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/59d14f6c-6286-454c-8629-96a0c2de943c

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Itthidej Aramsri (Boeing777)

Verified

No

WPVDB ID

49b67049-5a48-4bdc-9599-eac3af46edb7

Timeline

Publicly Published

2026-01-27 (about 3 months ago)

Added

2026-01-27 (about 3 months ago)

Last Updated

2026-03-27 (about 1 month ago)

Other

Published

Title

Published

2025-01-09

Title

One to one user Chat by WPGuppy < 1.1.1 - Authorization Bypass

Published

2024-09-13

Title

WooCommerce Multiple Free Gift <= 1.2.3 - Insufficient Server-Side Validation to Arbitrary Gift Adding

Published

2024-12-02

Title

WPCasa < 1.3.0 - Insecure Direct Object Reference

Published

2023-02-27

Title

WooCommerce Multiple Customer Addresses & Shipping < 21.7 - Arbitrary Address Creation/Deletion/Access/Update via IDOR

Published

2024-06-06

Title

Tutor LMS – eLearning and online course solution < 2.7.2 - Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Quiz Attempt Deletion