Stored Cross-Site Scripting Vulnerability in EmbedPress Plugin
CVE-2024-2688

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Embedpress – Embed PDF, Google Docs, Vimeo, Wistia, Embed Youtube Videos, Audios, Maps & Embed Any Documents In Gutenberg & Elementor
Vendor: CVE Published:; 23 March 2024

Summary

The EmbedPress plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability through its document widget. This vulnerability arises from inadequate sanitization of user input and failing to escape outputs for user-supplied attributes. Authenticated attackers with contributor-level access or higher can exploit this flaw to inject arbitrary web scripts into pages. These scripts will execute in the context of user sessions, potentially compromising user data and leading to further exploitation.

Affected Version(s)

EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor * <= 3.9.12

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 23, 2024
Vulnerability Reserved
Mar 19, 2024

Credit

Ngô Thiên An

Son Tran