CVE-2026-1389 – This vulnerability allows authenticated WordPre... (How to Fix)

Q: What is the severity of CVE-2026-1389?

CVE-2026-1389 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows authenticated WordPress users with Author-level permissions or higher to access, modify, and delete Document Library entries belonging to other users, including administrators. The flaw exists in the Document Embedder plugin's AJAX actions that fail to verify user permissions before processing requests. This affects all WordPress sites using vulnerable versions of the plugin.

📋 TL;DR

This vulnerability allows authenticated WordPress users with Author-level permissions or higher to access, modify, and delete Document Library entries belonging to other users, including administrators. The flaw exists in the Document Embedder plugin's AJAX actions that fail to verify user permissions before processing requests. This affects all WordPress sites using vulnerable versions of the plugin.

💻 Affected Systems

Products:

Document Embedder – Embed PDFs, Word, Excel, and Other Files WordPress plugin

Versions: All versions up to and including 2.0.4

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin enabled and at least one user with Author-level permissions or higher.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Author-level attackers could delete or modify all Document Library entries, potentially removing critical business documents or injecting malicious content that could compromise site visitors.

🟠

Likely Case

Malicious authors could access sensitive documents uploaded by other users, modify existing documents, or delete content they shouldn't have access to, leading to data loss or unauthorized information disclosure.

🟢

If Mitigated

With proper access controls and monitoring, impact would be limited to unauthorized access attempts that could be detected and blocked before data compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with Author permissions or higher. Attack involves manipulating AJAX requests with different document IDs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.5

Vendor Advisory: https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.5/includes/DocumentLibrary/Init-DocumentLibrary.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Document Embedder' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.0.5+ from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoints

all

Remove or restrict access to the vulnerable AJAX actions via .htaccess or WordPress hooks

Add to .htaccess: RewriteRule ^wp-admin/admin-ajax\.php.*action=(bplde_save_document_library|bplde_get_single|bplde_delete_document_library) - [F]

Restrict Author permissions

all

Temporarily downgrade Author users to Contributor role which cannot publish posts

UPDATE wp_users SET user_level = 1 WHERE user_level = 2;

🧯 If You Can't Patch

Disable the Document Embedder plugin completely until patched
Implement strict monitoring of AJAX requests containing 'bplde_' actions in WordPress logs

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Document Embedder → Version. If version is 2.0.4 or lower, you are vulnerable.

Check Version:

wp plugin list --name='Document Embedder' --field=version

Verify Fix Applied:

After updating, verify plugin version shows 2.0.5 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Multiple AJAX requests to admin-ajax.php with action parameters: bplde_save_document_library, bplde_get_single, bplde_delete_document_library from same user in short timeframe
Unauthorized access attempts to document IDs not owned by the requesting user

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with 'action' parameter containing bplde_* values
Unusual pattern of document ID parameter manipulation in requests

SIEM Query:

source="wordpress.log" AND (action="bplde_save_document_library" OR action="bplde_get_single" OR action="bplde_delete_document_library") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2026-1389

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-639

EPSS Score: 0.04% exploit probability (11.8th percentile)

Published: January 28, 2026

Last Updated: January 29, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1389, you might also want to check these: