Below is a practical security / architecture explanation of the EndNote 2025 Microsoft 365 (Word) plugin — what it is, what access it has, and whether your document content leaves the device.
The plugin is called Cite While You Write (CWYW).
Architecture
- Type: Local COM / macro-based Word add-in (desktop Office)
- Installed: Automatically with EndNote desktop client
- Works only with locally installed Word (not web Word by default in secure environments)
- Interaction model: Word ⇄ EndNote desktop process ⇄ (optional) EndNote Cloud sync
Key behaviour:
- Word loads EndNote toolbar
- Clicking a citation launches EndNote locally
- Word fields store citation metadata (not plain text)
Evidence:
- The add-in is macro-based and disabled in protected documents
- Installed as part of EndNote and appears as a Word tab
- Selecting commands starts the EndNote application
How citations are stored inside the document
EndNote does not insert plain text references.
It inserts hidden field codes (XML metadata) into the DOCX, e.g.:
- Author
- Year
- Record ID
- Library reference key
These remain embedded in the file as hidden field codes.
What permissions the plugin requires
Required Word permissions
Because it is a classic desktop add-in, it gets the same permissions as Word macros:
| Capability | Why it needs it |
|---|---|
| Read document text | Insert citation markers |
| Modify document | Format bibliography |
| Write hidden fields | Store citation metadata |
| Execute automation | Launch EndNote desktop |
| Access local file path | Attach references / PDFs |
On macOS you must allow automation: Enable automation between Microsoft Word and EndNote
So effectively: It has full edit access to the open document (not partial permissions like modern Office web add-ins).
What it does NOT need
- No mailbox access
- No calendar access
- No tenant-wide M365 Graph permissions
- No SharePoint admin permissions
Because it is not a cloud Office Add-in — it runs locally.
Does the plugin access or store document content externally?
Case A — Local library only
No document text is transmitted.
The plugin:
- reads the document locally
- inserts reference identifiers
- formats bibliography locally
Nothing leaves the machine except when you manually export or sync your library. Only the reference metadata is stored inside the DOCX.
Case B — Using EndNote Online sync (most organisations)
Now there is outbound data — but not the full paper.
What sync uploads:
- Reference metadata (title, authors, journal)
- Attached files you stored in your EndNote library
- Notes/annotations
- Library identifiers
What it does NOT upload automatically:
- The Word document body
- The manuscript text
- The bibliography text generated in Word
The Word document stays local, the plugin only links references to the cloud library.
Important nuance (often misunderstood)
Even though the paper isn’t uploaded:
Your DOCX contains embedded reference IDs.
If you provide the document to anyone that has EndNote, they can export the citation data back to an EndNote library. The sharee does not need the author’s library.
However, that’s metadata leakage, not content leakage.
Security summary
| Question | Reality |
|---|---|
| Is this a cloud Office add-in? | No, this is a local automation plugin |
| Does it read the document? | Yes (full edit access) |
| Does it upload the paper? | No |
| Does it sync reference data? | Yes (if cloud library used) |
| Does it store hidden metadata in the doc? | Yes |
| Does it require broad Microsoft 365 permissions? | No |
| Main risk | Macro-level document access + metadata leakage |
Bottom line
EndNote’s Word plugin behaves more like an old-school desktop integration than a SaaS add-in:
- Full control of the open document locally
- No automatic exfiltration of manuscript content
- Cloud sync transfers only reference library data
- The DOCX file embeds hidden citation metadata
If you're doing a security assessment, the real risk is macro-level document access, not the more severe cloud data harvesting.