CVE-2025-12885
Unknown Unknown - Not Provided
Stored XSS in Embed Any Document WordPress Plugin Allows Script Injection

Publication date: 2025-12-18

Last updated on: 2025-12-18

Assigner: Wordfence

Description
The Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sanitize_pdf_src function regex bypass in all versions up to, and including, 2.7.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-14
NVD
CVE-2025-12885
EUVD
EUVD-2025-204022
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress embed_any_document *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-12885 is a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin "Embed Any Document" (versions up to and including 2.7.10). It occurs because the plugin's sanitize_pdf_src function does not properly sanitize and escape input, allowing authenticated users with Contributor-level access or higher to inject malicious web scripts into pages. These scripts execute whenever a user accesses the infected page, potentially compromising site security. [2]

Impact Analysis

This vulnerability can allow attackers with Contributor-level access or above to inject arbitrary malicious scripts into WordPress pages via document embed attributes. When other users visit these pages, the malicious scripts execute, potentially leading to unauthorized actions such as stealing user credentials, hijacking user sessions, defacing the website, or distributing malware. This compromises the security and integrity of the affected WordPress site. [2]

Detection Guidance

To detect this vulnerability, you can scan your WordPress site for pages containing the vulnerable plugin version (up to 2.7.10) and look for embedded document elements with unsafe attributes. Specifically, search for <div> elements with the class 'ead-document' that have suspicious or malformed 'data-pdf-src' attributes or JavaScript event handlers like 'onclick', 'onload', etc. Commands such as grep or WP-CLI can be used to search the site content or plugin files. For example, you might use: grep -r 'ead-document' /path/to/wordpress/wp-content/plugins/embed-any-document/ or grep -r 'data-pdf-src' /path/to/wordpress/wp-content/uploads/. Additionally, monitoring HTTP requests for suspicious script injections in pages served by the plugin can help detect exploitation attempts. [2]

Mitigation Strategies

The immediate mitigation step is to update the Embed Any Document plugin to version 2.7.11 or later, which includes a fix that enhances sanitization of embed HTML elements and attributes to prevent XSS attacks. If updating is not immediately possible, restrict Contributor-level access and above to trusted users only, and consider disabling the plugin temporarily. Additionally, review and sanitize any existing embedded documents that may contain malicious scripts. Applying web application firewall (WAF) rules to block suspicious payloads related to this vulnerability can also help mitigate risk. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12885. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart