Server-Side Request Forgery Vulnerability in Embed Any Document Plugin for WordPress
CVE-2025-1043

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Embed Any Document – Embed PDF, Word, Powerpoint And Excel Files
Vendor: CVE Published:; 20 February 2025

Summary

The Embed Any Document plugin for WordPress is susceptible to Server-Side Request Forgery (SSRF), allowing authenticated attackers with Contributor-level access or higher to exploit the ‘embeddoc’ shortcode. This vulnerability permits them to initiate web requests to arbitrary endpoints, potentially enabling unauthorized access and manipulation of internal services, which raises significant security concerns for users relying on this functionality.

Affected Version(s)

Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files * <= 2.7.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3242370/embe...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Feb 20, 2025
Vulnerability Reserved
Feb 4, 2025

Credit

Youcef Hamdani