Skip to content
Word 2016 vulnerability allows injecting HTML/JS code into a docx file's embeddedHTML="" tags.
Branch: master
Clone or download
Latest commit e5fd714 Dec 10, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
docx-embeddedhtml-injection.ps1 Update docx-embeddedhtml-injection.ps1 Dec 10, 2018


Researchers at Cymulate found a vulnerability in Microsoft Word documents with an embedded video player. This vulnerability lets anyone inject HTML code in place of the expected Youtube iframe.

This PowerShell script exploits this known vulnerability in documents with embedded online videos by injecting them with HTML code, replacing the values of all pre-existing embeddedHtml tags. Microsoft Word will execute any HTML you inject, here's an example :


The process to inject the HTML code can be somewhat tedious. This script attempts to automate this process.

How to use


You will need a Word document with at least one or more online videos. To add an online video in a Word document, simply go to Insert > Online Video and search for a video. If you have any issues, refer to the official Microsoft documentation.

This script was made using PowerShell 5.1, so you will need PowerShell version 5.1 or a newer version.

To use this function in the PowerShell terminal, you can simply dot source it from the terminal :

PS C:\> . C:\scripts\docx-embedded-html.ps1

PS C:\> Inject-Docx -Path "C:\This\Is\A\test.docx" -HtmlBlock "<h3>Test</h3>"

To use this function in a script, you will need to dot source it in the script :

. C:\scripts\docx-embedded-hmtl.ps1


Here's how the function works :

Inject-Docx -Path "C:\This\Is\A\test.docx" -HtmlBlock "<h3>Test</h3>" -DestinationName "destination.docx"

-Path being the path of the original document.

-HtmlBlock being the HTML block to be injected.

-DestinationName being the file name of the final document. This parameter is optional (default is "output.docx")

Vulnerability mitigation

Currently, the only way to mitigate this vulnerability is to block Word documents containing embedded video. Microsoft has not acknowledged this as being a vulnerability, and seem to have no plan to fix it. Here is the official response from Jeff Jones, senior director at Microsoft :

“The product is properly interpreting html as designed — working in the same manner as similar products.”


You can’t perform that action at this time.