Stored Cross-Site Scripting Vulnerability in EmbedPress Plugin for WordPress
CVE-2026-7796
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 6 June 2026
What is CVE-2026-7796?
The EmbedPress plugin for WordPress suffers from a stored cross-site scripting vulnerability, allowing attackers with contributor-level access or higher to inject malicious web scripts. This issue stems from insufficient input sanitization and output escaping pertaining to the 'url' block attribute. When users access a page with the injected code, the scripts execute, potentially compromising user safety and site integrity. It is crucial for website administrators to review and update to the latest versions to mitigate risks associated with this vulnerability.
Affected Version(s)
EmbedPress β PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more 0 <= 4.5.3