Stored Cross-Site Scripting Vulnerability in EmbedPress Plugin for WordPress
CVE-2026-7796

6.4MEDIUM

What is CVE-2026-7796?

The EmbedPress plugin for WordPress suffers from a stored cross-site scripting vulnerability, allowing attackers with contributor-level access or higher to inject malicious web scripts. This issue stems from insufficient input sanitization and output escaping pertaining to the 'url' block attribute. When users access a page with the injected code, the scripts execute, potentially compromising user safety and site integrity. It is crucial for website administrators to review and update to the latest versions to mitigate risks associated with this vulnerability.

Affected Version(s)

EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more 0 <= 4.5.3

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jangwoo Choi
.