CVE-2025-12885
Stored XSS in Embed Any Document WordPress Plugin Allows Script Injection
Publication date: 2025-12-18
Last updated on: 2025-12-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | embed_any_document | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-12885 is a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin "Embed Any Document" (versions up to and including 2.7.10). It occurs because the plugin's sanitize_pdf_src function does not properly sanitize and escape input, allowing authenticated users with Contributor-level access or higher to inject malicious web scripts into pages. These scripts execute whenever a user accesses the infected page, potentially compromising site security. [2]
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor-level access or above to inject arbitrary malicious scripts into WordPress pages via document embed attributes. When other users visit these pages, the malicious scripts execute, potentially leading to unauthorized actions such as stealing user credentials, hijacking user sessions, defacing the website, or distributing malware. This compromises the security and integrity of the affected WordPress site. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, you can scan your WordPress site for pages containing the vulnerable plugin version (up to 2.7.10) and look for embedded document elements with unsafe attributes. Specifically, search for <div> elements with the class 'ead-document' that have suspicious or malformed 'data-pdf-src' attributes or JavaScript event handlers like 'onclick', 'onload', etc. Commands such as grep or WP-CLI can be used to search the site content or plugin files. For example, you might use: grep -r 'ead-document' /path/to/wordpress/wp-content/plugins/embed-any-document/ or grep -r 'data-pdf-src' /path/to/wordpress/wp-content/uploads/. Additionally, monitoring HTTP requests for suspicious script injections in pages served by the plugin can help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Embed Any Document plugin to version 2.7.11 or later, which includes a fix that enhances sanitization of embed HTML elements and attributes to prevent XSS attacks. If updating is not immediately possible, restrict Contributor-level access and above to trusted users only, and consider disabling the plugin temporarily. Additionally, review and sanitize any existing embedded documents that may contain malicious scripts. Applying web application firewall (WAF) rules to block suspicious payloads related to this vulnerability can also help mitigate risk. [2]