WP-Safety

Document Embedder – Embed PDFs, Word, Excel, and Other Files Security & Risk Analysis

wordpress.org/plugins/document-emberdder

Document Embedder lets you display PDF, DOCX, PPTX, XLSX, and other files in WordPress sites with a responsive viewer and optional download button.

10K active installs v2.0.6 PHP 7.1+ WP 6.5+ Updated Mar 2, 2026
add-documentdocument-embedderembed-any-documentembed-pdfpdf-embedder
93
A · Safe
CVEs total4
Unpatched0
Last CVEJan 27, 2026
Plugin page Download
Safety Verdict

Is Document Embedder – Embed PDFs, Word, Excel, and Other Files Safe to Use in 2026?

Generally Safe

Score 93/100

Document Embedder – Embed PDFs, Word, Excel, and Other Files has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Jan 27, 2026Updated 1mo ago
Risk Assessment

The static analysis of document-emberdder v2.0.6 indicates a generally robust security posture, with all identified entry points possessing authentication checks and no critical or high-severity taint analysis findings. The plugin also demonstrates good practices regarding SQL query preparation and a significant number of nonce and capability checks. However, the vulnerability history reveals a concerning pattern of past security issues, primarily related to authorization vulnerabilities, including one high-severity CVE. While there are currently no unpatched CVEs, the plugin's history suggests a recurring need for vigilance and prompt patching. The significant number of output escape issues (29% not properly escaped) presents a potential risk for cross-site scripting (XSS) vulnerabilities, although none were specifically identified in the taint analysis. The inclusion of a bundled Freemius v1.0 library, while not immediately flagged as a critical issue, warrants attention as older versions of bundled libraries can sometimes introduce vulnerabilities if not updated.

In conclusion, document-emberdder v2.0.6 has strong foundational security practices in place, particularly concerning its entry points and data handling with prepared SQL statements. The absence of critical code-level vulnerabilities in the static and taint analysis is positive. Nevertheless, the historical prevalence of authorization and information exposure vulnerabilities, coupled with the unescaped output percentage, necessitates continued monitoring and a proactive approach to security updates to mitigate the risks indicated by past incidents.

Key Concerns

  • Bundled outdated library (Freemius v1.0)
  • Significant percentage of unescaped output (29%)
  • Past high-severity vulnerability (1)
  • Past medium-severity vulnerabilities (3)
Vulnerabilities
4

Document Embedder – Embed PDFs, Word, Excel, and Other Files Security Vulnerabilities

CVEs by Year

2 CVEs in 2022
2022
1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2026-1389medium · 5.3Authorization Bypass Through User-Controlled Key

Document Embedder <= 2.0.4 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Document Library Entry Deletion

Jan 27, 2026 Patched in 2.0.5 (1d)
CVE-2025-12384high · 8.6Missing Authorization

Document Embedder – Embed PDFs, Word, Excel, and Other Files <= 2.0.0 - Missing Authorization to Unauthenticated Document Manipulation

Nov 4, 2025 Patched in 2.0.1 (1d)
CVE-2021-24775medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Document Embedder < 1.7.6 - Sensitive Data Exposure

Jan 3, 2022 Patched in 1.7.6 (750d)
CVE-2021-24868medium · 4.3Improper Authorization

Document Embedder <= 1.7.8 - Subscriber+ Arbitrary Private/Draft Post Title Disclosure

Jan 3, 2022 Patched in 1.7.9 (750d)
Code Analysis
Analyzed Mar 16, 2026

Document Embedder – Embed PDFs, Word, Excel, and Other Files Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
232
581 escaped
Nonce Checks
17
Capability Checks
9
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

100% prepared2 total queries

Output Escaping

71% escaped813 total outputs
Data Flows
All sanitized

Data Flow Analysis

5 flows
csf_export (frameworks\Codestar\functions\actions.php:62)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Document Embedder – Embed PDFs, Word, Excel, and Other Files Attack Surface

Entry Points12
Unprotected0

AJAX Handlers 10

authwp_ajax_csf-get-iconsframeworks\Codestar\functions\actions.php:50
authwp_ajax_csf-exportframeworks\Codestar\functions\actions.php:87
authwp_ajax_csf-importframeworks\Codestar\functions\actions.php:123
authwp_ajax_csf-resetframeworks\Codestar\functions\actions.php:150
authwp_ajax_csf-chosenframeworks\Codestar\functions\actions.php:189
authwp_ajax_pdfp_get_doc_metaincludes\DocumentEmbedder\Rest\getMeta.php:9
authwp_ajax_bplde_save_document_libraryincludes\DocumentLibrary\Init-DocumentLibrary.php:12
authwp_ajax_bplde_get_singleincludes\DocumentLibrary\Init-DocumentLibrary.php:13
authwp_ajax_bplde_delete_document_libraryincludes\DocumentLibrary\Init-DocumentLibrary.php:14
authwp_ajax_bplde_get_allincludes\DocumentLibrary\Init-DocumentLibrary.php:15

Shortcodes 2

[doc] includes\DocumentEmbedder\Services\Shortcode.php:11
[document_library] includes\DocumentLibrary\Init-DocumentLibrary.php:9
WordPress Hooks 81
actioninitblocks.php:10
actioninitdocument-library-block.php:12
actionenqueue_block_assetsdocument-library-block.php:13
actionwp_enqueue_scriptsframeworks\Codestar\classes\abstract.class.php:20
actionadmin_menuframeworks\Codestar\classes\admin-options.class.php:107
actionadmin_bar_menuframeworks\Codestar\classes\admin-options.class.php:108
actionnetwork_admin_menuframeworks\Codestar\classes\admin-options.class.php:112
filteradmin_footer_textframeworks\Codestar\classes\admin-options.class.php:432
actionadd_meta_boxes_commentframeworks\Codestar\classes\comment-options.class.php:38
actionedit_commentframeworks\Codestar\classes\comment-options.class.php:39
actioncustomize_registerframeworks\Codestar\classes\customize-options.class.php:44
actioncustomize_save_afterframeworks\Codestar\classes\customize-options.class.php:45
actionwp_enqueue_scriptsframeworks\Codestar\classes\customize-options.class.php:49
actionadd_meta_boxesframeworks\Codestar\classes\metabox-options.class.php:52
actionsave_postframeworks\Codestar\classes\metabox-options.class.php:53
actionedit_attachmentframeworks\Codestar\classes\metabox-options.class.php:54
actionwp_nav_menu_item_custom_fieldsframeworks\Codestar\classes\nav-menu-options.class.php:32
actionwp_update_nav_menu_itemframeworks\Codestar\classes\nav-menu-options.class.php:33
filterwp_edit_nav_menu_walkerframeworks\Codestar\classes\nav-menu-options.class.php:35
actionadmin_initframeworks\Codestar\classes\profile-options.class.php:32
actionshow_user_profileframeworks\Codestar\classes\profile-options.class.php:44
actionedit_user_profileframeworks\Codestar\classes\profile-options.class.php:45
actionpersonal_options_updateframeworks\Codestar\classes\profile-options.class.php:47
actionedit_user_profile_updateframeworks\Codestar\classes\profile-options.class.php:48
actionafter_setup_themeframeworks\Codestar\classes\setup.class.php:73
actioninitframeworks\Codestar\classes\setup.class.php:74
actionswitch_themeframeworks\Codestar\classes\setup.class.php:75
actionadmin_enqueue_scriptsframeworks\Codestar\classes\setup.class.php:76
actionwp_enqueue_scriptsframeworks\Codestar\classes\setup.class.php:77
actionwp_headframeworks\Codestar\classes\setup.class.php:78
filteradmin_body_classframeworks\Codestar\classes\setup.class.php:79
actionadmin_footerframeworks\Codestar\classes\shortcode-options.class.php:47
actioncustomize_controls_print_footer_scriptsframeworks\Codestar\classes\shortcode-options.class.php:48
actionelementor/editor/before_enqueue_scriptsframeworks\Codestar\classes\shortcode-options.class.php:59
actionelementor/editor/footerframeworks\Codestar\classes\shortcode-options.class.php:60
actionelementor/editor/footerframeworks\Codestar\classes\shortcode-options.class.php:61
actionenqueue_block_editor_assetsframeworks\Codestar\classes\shortcode-options.class.php:258
actionmedia_buttonsframeworks\Codestar\classes\shortcode-options.class.php:262
actionadmin_initframeworks\Codestar\classes\taxonomy-options.class.php:41
actionadmin_footerframeworks\Codestar\fields\icon\icon.php:41
actioncustomize_controls_print_footer_scriptsframeworks\Codestar\fields\icon\icon.php:42
actionadmin_print_footer_scriptsframeworks\Codestar\fields\link\link.php:65
actionprint_default_editor_scriptsframeworks\Codestar\fields\wp_editor\wp_editor.php:62
actionadmin_menuframeworks\Codestar\views\welcome.php:19
filterplugin_action_linksframeworks\Codestar\views\welcome.php:20
filterplugin_row_metaframeworks\Codestar\views\welcome.php:21
actionplugins_loadedincludes\class-initBPLDEPlugin.php:6
actionadmin_noticesincludes\class-initBPLDEPlugin.php:7
actionadmin_enqueue_scriptsincludes\DocumentEmbedder\Api\DropboxApi.php:15
filterscript_loader_tagincludes\DocumentEmbedder\Api\DropboxApi.php:16
actionadmin_footerincludes\DocumentEmbedder\Api\DropboxApi.php:17
actionadmin_enqueue_scriptsincludes\DocumentEmbedder\Api\GoogleDriveApi.php:16
actionadmin_footerincludes\DocumentEmbedder\Api\GoogleDriveApi.php:17
filterscript_loader_tagincludes\DocumentEmbedder\Api\GoogleDriveApi.php:18
actionplugins_loadedincludes\DocumentEmbedder\class-BPLDocumentEmbedder.php:15
actionadmin_initincludes\DocumentEmbedder\class-BPLDocumentEmbedder.php:16
actionplugins_loadedincludes\DocumentEmbedder\class-BPLDocumentEmbedder.php:17
actionadmin_enqueue_scriptsincludes\DocumentEmbedder\class-BPLDocumentEmbedder.php:18
actionwp_enqueue_scriptsincludes\DocumentEmbedder\class-BPLDocumentEmbedder.php:19
actionadmin_headincludes\DocumentEmbedder\class-BPLDocumentEmbedder.php:21
actionadmin_footerincludes\DocumentEmbedder\class-BPLDocumentEmbedder.php:202
actionadmin_footerincludes\DocumentEmbedder\class-BPLDocumentEmbedder.php:246
actionadmin_menuincludes\DocumentEmbedder\Model\SubMenus.php:8
actionadmin_menuincludes\DocumentEmbedder\Model\SubMenus.php:9
actioninitincludes\DocumentEmbedder\PostType\PPTViewer.php:9
actioninitincludes\DocumentEmbedder\PostType\PPTViewer.php:10
filterpost_row_actionsincludes\DocumentEmbedder\PostType\PPTViewer.php:15
actionadmin_head-post.phpincludes\DocumentEmbedder\PostType\PPTViewer.php:16
actionadmin_head-post-new.phpincludes\DocumentEmbedder\PostType\PPTViewer.php:17
filtergettextincludes\DocumentEmbedder\PostType\PPTViewer.php:18
filterpost_updated_messagesincludes\DocumentEmbedder\PostType\PPTViewer.php:19
actionedit_form_after_titleincludes\DocumentEmbedder\PostType\PPTViewer.php:20
actioninitincludes\DocumentLibrary\DocumentLibrary.php:19
filteruse_block_editor_for_post_typeincludes\DocumentLibrary\DocumentLibrary.php:20
actionadmin_enqueue_scriptsincludes\DocumentLibrary\DocumentLibrary.php:21
actionadmin_headincludes\DocumentLibrary\DocumentLibrary.php:22
actionedit_form_after_titleincludes\DocumentLibrary\DocumentLibrary.php:23
actioninitincludes\DocumentLibrary\DocumentLibrary.php:24
actioninitincludes\DocumentLibrary\Init-DocumentLibrary.php:6
actionplugins_loadedincludes\DocumentLibrary\Init-DocumentLibrary.php:7
actionadmin_enqueue_scriptsincludes\DocumentLibrary\Init-DocumentLibrary.php:8
Maintenance & Trust

Document Embedder – Embed PDFs, Word, Excel, and Other Files Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 2, 2026
PHP min version7.1
Downloads219K

Community Trust

Rating98/100
Number of ratings118
Active installs10K
Alternatives

Document Embedder – Embed PDFs, Word, Excel, and Other Files Alternatives

PDF Poster – Display PDF Files with Custom Viewer

PDF Poster – Display PDF Files with Custom Viewer

pdf-poster

A
100

PDF Poster lets you embed PDF files in WordPress using a responsive viewer and block support, including full-screen, download, and print options.

20K 1 CVE
Pdf Embed

Pdf Embed

pdf-embed

A
100

PDF embedder with official Adobe Embed API.

10K No CVEs
PDF Embedder

PDF Embedder

pdf-embedder

A
100

Seamlessly embed PDFs into your content, with customizations and intelligent responsive resizing, and no third-party services or iframes.

300K 1 CVE
EmbedPress – PDF Embedder, Embed YouTube Videos, 3D FlipBook, Social feeds, Docs & more

EmbedPress – PDF Embedder, Embed YouTube Videos, 3D FlipBook, Social feeds, Docs & more

embedpress

A
94

EmbedPress lets you embed videos, pages, social feeds, embed PDF 3D flipbooks & other content on WordPress without coding & enhance storytelling.

100K 27 CVEs
Real 3D Flipbook – 3D FlipBook, PDF FlipBook, PDF Viewer, PDF Embedder

Real 3D Flipbook – 3D FlipBook, PDF FlipBook, PDF Viewer, PDF Embedder

real3d-flipbook-lite

C
67

Embed PDF files easily anywhere on your website. Display your PDFs and images as stunning, interactive 3D flipbooks directly within WordPress.

10K 1 unpatched
Developer Profile

Document Embedder – Embed PDFs, Word, Excel, and Other Files Developer Profile

colorlibplugins

120 plugins · 738K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
140 days
View full developer profile
Detection Fingerprints

How We Detect Document Embedder – Embed PDFs, Word, Excel, and Other Files

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/document-emberdder/assets/css/style.css/wp-content/plugins/document-emberdder/assets/js/main.js
Script Paths
/wp-content/plugins/document-emberdder/assets/js/main.js
Version Parameters
document-emberdder/assets/css/style.css?ver=document-emberdder/assets/js/main.js?ver=

HTML / DOM Fingerprints

CSS Classes
bplde-document-container
Data Attributes
data-document-embedder-id
JS Globals
BPLDE_VERBPLDE_PRO_IMPORTBPLDE_PLUGIN_DIRBPLDE_PLUGIN_PATHBPLDE__FILE__BPLDE_IMPORT+1 more
Shortcode Output
[document-embedder url=
FAQ

Frequently Asked Questions about Document Embedder – Embed PDFs, Word, Excel, and Other Files