WP-Safety
CVE-2026-1389

Document Embedder <= 2.0.4 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Document Library Entry Deletion

mediumAuthorization Bypass Through User-Controlled Key
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.0.5
Patched in
59d
Time to patch

Description

The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_save_document_library', 'bplde_get_single', and 'bplde_delete_document_library' AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the 'id' parameter.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0.4
PublishedJanuary 27, 2026
Last updatedMarch 27, 2026
Affected plugindocument-emberdder

Source Code

WordPress.org SVN
Vulnerable v2.0.4
Browse source Download .zip
Patched v2.0.5
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-1389 - Document Embedder IDOR ## 1. Vulnerability Summary The **Document Embedder** plugin for WordPress (versions <= 2.0.4) contains multiple Insecure Direct Object Reference (IDOR) vulnerabilities in its AJAX handlers. Specifically, the actions `bplde_save_d…

Show full research plan

Exploitation Research Plan: CVE-2026-1389 - Document Embedder IDOR

1. Vulnerability Summary

The Document Embedder plugin for WordPress (versions <= 2.0.4) contains multiple Insecure Direct Object Reference (IDOR) vulnerabilities in its AJAX handlers. Specifically, the actions bplde_save_document_library, bplde_get_single, and bplde_delete_document_library do not verify that the authenticated user has permission to access or modify the specific entry identified by the id parameter.

While the handlers are restricted to authenticated users (Author level and above), they lack checks to ensure the id belongs to the requesting user or that the user has administrative privileges to manage others' entries. This allows an attacker with an Author-level account to read, modify, or delete document library entries created by any other user, including administrators.

2. Attack Vector Analysis

  • Endpoints: wp-admin/admin-ajax.php
  • AJAX Actions:
    • bplde_save_document_library (Update/Overwrite)
    • bplde_get_single (Read)
    • bplde_delete_document_library (Delete)
  • Vulnerable Parameter: id (The database ID of the document library entry).
  • Authentication Required: Authenticated user with Author role or higher.
  • Preconditions: The attacker must be logged in as an Author and know (or brute-force) the id of the target document library entry.

3. Code Flow

  1. The plugin registers AJAX handlers in the constructor of its main class or an AJAX handler class (likely using add_action( 'wp_ajax_bplde_...', ... )).
  2. An Author user sends a POST request to admin-ajax.php with action=bplde_delete_document_library&id=[TARGET_ID].
  3. The handler function (e.g., bplde_delete_document_library()) is invoked.
  4. The handler likely checks for a nonce using check_ajax_referer or wp_verify_nonce.
  5. Crucially, the handler retrieves the id from $_POST['id'] and performs a database operation (e.g., $wpdb->delete(...) or wp_delete_post(...)) without verifying if the current user owns the entry or has manage_options capabilities.
  6. The entry is deleted/modified/leaked regardless of ownership.

4. Nonce Acquisition Strategy

The plugin likely localizes a nonce for these AJAX actions. Based on the action names, the localization key is likely related to bplde or doc_embedder.

  1. Identify Entry Point: Document Library management usually happens in the WordPress dashboard.
  2. Create Setup Page: If the nonce is only loaded on the plugin's admin page, we must navigate there.
  3. Extraction:
    • Login as the Author user.
    • Navigate to the Document Embedder dashboard: /wp-admin/admin.php?page=document-embedder-library (inferred slug).
    • Use browser_eval to find the nonce.
    • Search Target: Look for a global object like bplde_ajax_obj or document_embedder_vars.
    • Inferred Script Variable: window.bplde_ajax?.nonce or window.bplde_params?.nonce.

5. Exploitation Strategy (Deletion Focus)

This plan focuses on the bplde_delete_document_library action to demonstrate impact.

Step 1: Admin creates a "Target" Document

The administrator creates a document library entry that the Author should not be able to delete.

Step 2: Author retrieves ID and Nonce

The Author logs in and identifies the id of the admin's document (via bplde_get_all if accessible, or by simple incrementing/brute-forcing if IDs are sequential).

Step 3: Execution of Unauthorized Deletion

The Author sends the following request:

HTTP Request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=bplde_delete_document_library&id=[TARGET_ID]&nonce=[EXTRACTED_NONCE]

6. Test Data Setup

  1. Users:
    • Admin: admin_user
    • Author: attacker_author (Role: Author)
  2. Document Entry:
    • As admin_user, create a document library entry via the plugin UI.
    • Capture the ID of this entry (e.g., 1).
  3. Plugin State: Ensure Document Embedder is active.

7. Expected Results

  • Response: The server should return a success message (e.g., {"success":true} or a string 1).
  • Outcome: The document library entry with id=[TARGET_ID] is removed from the database.
  • Bypass Confirmation: The deletion occurs even though the attacker_author does not own the entry.

8. Verification Steps

  1. List Documents via WP-CLI:
    # If the plugin uses a Custom Post Type (check for 'bplde_doc' or similar)
wp post list --post_type=document_library 

# If the plugin uses a custom table (more likely)
wp db query "SELECT * FROM wp_bplde_document_library WHERE id = [TARGET_ID];"
  2. Confirm Absence: The query should return no results after the exploit.

9. Alternative Approaches

A. Information Disclosure (bplde_get_single)

If deletion is too destructive for the environment, use bplde_get_single to read entry details.

  • Action: bplde_get_single
  • Payload: action=bplde_get_single&id=[TARGET_ID]&nonce=[NONCE]
  • Expected: JSON response containing document details (e.g., file URLs, titles) belonging to the Admin.

B. Unauthorized Modification (bplde_save_document_library)

Overwrite an admin's document entry with attacker-controlled data.

  • Action: bplde_save_document_library
  • Payload: action=bplde_save_document_library&id=[TARGET_ID]&title=HACKED&nonce=[NONCE]
  • Expected: The Admin's entry title changes to "HACKED".
Research Findings
Static analysis — not yet PoC-verified

Summary

The Document Embedder plugin for WordPress (<= 2.0.4) is vulnerable to an Insecure Direct Object Reference (IDOR) via its AJAX handlers. Authenticated users with Author-level permissions can read, modify, or delete document library entries belonging to any user, including administrators, by supplying an arbitrary entry ID.

Security Fix

--- a/document-embedder.php
+++ b/document-embedder.php
@@ -102,6 +102,11 @@
 function bplde_delete_document_library() {
     check_ajax_referer('bplde_nonce', 'nonce');
     $id = isset($_POST['id']) ? intval($_POST['id']) : 0;
+    
+    // Added ownership and capability check
+    if (!current_user_can('manage_options') && get_post_field('post_author', $id) != get_current_user_id()) {
+        wp_send_json_error('Unauthorized access');
+    }
+
     // Original deletion logic
     global $wpdb;
     $wpdb->delete($wpdb->prefix . 'bplde_document_library', array('id' => $id));
@@ -115,6 +120,10 @@
 function bplde_get_single() {
     check_ajax_referer('bplde_nonce', 'nonce');
     $id = isset($_POST['id']) ? intval($_POST['id']) : 0;
+
+    if (!current_user_can('manage_options') && get_post_field('post_author', $id) != get_current_user_id()) {
+        wp_send_json_error('Unauthorized access');
+    }
+    // Original retrieval logic
 }

Exploit Outline

To exploit this vulnerability, an attacker must have at least Author-level privileges. 1. The attacker logs into the WordPress dashboard and navigates to the Document Embedder library page to obtain a valid AJAX nonce from the localized script variables (e.g., bplde_ajax_obj.nonce). 2. The attacker identifies the 'id' of a target document library entry created by another user (often sequential and easily guessable). 3. The attacker sends an unauthenticated POST request to /wp-admin/admin-ajax.php using an action such as 'bplde_delete_document_library' or 'bplde_save_document_library'. 4. By including the target 'id' and the valid nonce, the plugin performs the requested operation on the entry without verifying that the attacker owns the record or has administrative rights.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/59d14f6c-6286-454c-8629-96a0c2de943c?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database