Stored Cross-Site Scripting in Embed Any Document Plugin for WordPress
CVE-2025-12885

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Embed Any Document – Embed PDF, Word, Powerpoint And Excel Files
Vendor: CVE Published:; 18 December 2025

What is CVE-2025-12885?

The Embed Any Document plugin for WordPress exhibits a vulnerability that allows authenticated users with Contributor-level permissions and above to exploit a flaw in the sanitize_pdf_src function. This flaw arises from inadequate input sanitization and escaping of output, enabling attackers to insert arbitrary web scripts. When executed, these scripts can compromise the integrity of pages viewed by users, leading to undesirable actions or data exposure whenever an affected page is accessed.

Affected Version(s)

Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files * <= 2.7.10

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3406443/

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 18, 2025
Vulnerability Reserved
Nov 7, 2025

Credit

Muhammad Yudha - DJ

JSON