Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor – Authenticated (Contributor+) Stored Cross-site Scripting via ’embedpress_doc_custom_color’ – CVE-2024-2688 | WordPress Plugin Vulnerability Report – EmbedPress
Plugin Name: EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor
Key Information:
- Software Type: Plugin
- Software Slug: embedpress
- Software Status: Active
- Software Author: wpdevteam
- Software Downloads: 2,350,234
- Active Installs: 90,000
- Last Updated: March 22, 2024
- Patched Versions: 3.9.13
- Affected Versions: <= 3.9.12
Vulnerability Details:
- Name: EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.12
- Title: Authenticated (Contributor+) Stored Cross-site Scripting via 'embedpress_doc_custom_color'
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- CVE: CVE-2024-2688
- CVSS Score: 5.4
- Publicly Published: March 22, 2024
- Researcher: Ngô Thiên An (ancorn_) - VNPT-VCI ST
- Description: The EmbedPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the EmbedPress document widget in all versions up to, and including, 3.9.12 due to insufficient input sanitization and output escaping on user-supplied attributes. Authenticated attackers, with contributor-level access and above, can inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The EmbedPress plugin for WordPress, which allows users to embed a variety of content types in their sites, has a vulnerability in versions up to and including 3.9.12. This vulnerability, arising from insufficient input sanitization and output escaping within the 'embedpress_doc_custom_color' attribute, enables authenticated users with at least contributor permissions to inject malicious scripts. This issue has been addressed in version 3.9.13 of the plugin.
Detailed Overview:
This vulnerability, discovered by security researcher Ngô Thiên An from VNPT-VCI ST, specifically targets the EmbedPress document widget's 'embedpress_doc_custom_color' attribute. The lack of adequate input sanitization and output escaping mechanisms makes it possible for attackers to embed harmful scripts that are executed when other users view the affected page. The execution of such scripts can compromise the integrity and security of the website. The prompt update to version 3.9.13 has resolved this vulnerability, reinforcing the importance of maintaining up-to-date software.
Advice for Users:
- Immediate Action: Users of the EmbedPress plugin are urged to update to version 3.9.13 immediately to mitigate the risk posed by this vulnerability.
- Check for Signs of Vulnerability: Administrators should review their websites for any unusual or unauthorized content, particularly in pages where the EmbedPress document widget is used.
- Alternate Plugins: While the issue has been patched, considering alternative embedding plugins might be wise until confidence in this plugin's security is fully restored.
- Stay Updated: Regularly updating all WordPress plugins and themes is crucial in protecting against known vulnerabilities and enhancing website security.
Conclusion: The swift response by the EmbedPress developers in releasing a patch for this vulnerability highlights the critical importance of software maintenance in the digital ecosystem. To secure their WordPress installations against this specific threat, users are advised to ensure that they have updated the EmbedPress plugin to version 3.9.13 or later.