Stored Cross-Site Scripting Vulnerability in EmbedPress Plugin
CVE-2024-2688

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Embedpress – PDF Embedder, Embed Youtube Videos, 3d Flipbook, Social Feeds, Docs & More
Vendor: CVE Published:; 23 March 2024

What is CVE-2024-2688?

The EmbedPress plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability through its document widget. This vulnerability arises from inadequate sanitization of user input and failing to escape outputs for user-supplied attributes. Authenticated attackers with contributor-level access or higher can exploit this flaw to inject arbitrary web scripts into pages. These scripts will execute in the context of user sessions, potentially compromising user data and leading to further exploitation.

Affected Version(s)

EmbedPress – PDF Embedder, Embed YouTube Videos, 3D FlipBook, Social feeds, Docs & more 0 <= 3.9.12

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 23, 2024
Vulnerability Reserved
Mar 19, 2024

Credit

Ngô Thiên An

Son Tran

CVE-2024-2688 Data

JSON