CVE-2025-12885
📋 TL;DR
This stored XSS vulnerability in the Embed Any Document WordPress plugin allows authenticated attackers with Contributor access or higher to inject malicious scripts into web pages. When users visit compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites using this plugin up to version 2.7.10 are affected.
💻 Affected Systems
- Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the WordPress site, install backdoors, deface the site, or redirect visitors to malicious sites.
Likely Case
Attackers with contributor accounts inject malicious scripts to steal session cookies or user credentials, potentially compromising user accounts and site integrity.
If Mitigated
With proper input validation and output escaping, the vulnerability is prevented, and only legitimate document embeds function normally.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has contributor privileges. The vulnerability is publicly disclosed with technical details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.11
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3406443/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Embed Any Document' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.7.11 from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Embed Any Document plugin until patched
wp plugin deactivate embed-any-document
Restrict contributor access
allTemporarily remove contributor role permissions or restrict new contributor registrations
wp role reset contributor
wp option update users_can_register 0
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in plugin parameters
- Monitor and audit contributor-level user activities for suspicious document embedding behavior
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Embed Any Document' version. If version is 2.7.10 or lower, the site is vulnerable.Check Version:
wp plugin get embed-any-document --field=versionVerify Fix Applied:
After updating, verify plugin version shows 2.7.11 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/admin-ajax.php with embed-any-document parameters containing script tags
- Multiple failed login attempts followed by successful contributor-level login
Network Indicators:
- HTTP requests containing malicious script payloads in 'src' or document embedding parameters
- Outbound connections to suspicious domains after visiting embedded document pages
SIEM Query:
source="wordpress.log" AND ("embed-any-document" OR "sanitize_pdf_src") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")