EmbedPress – Embed Various Content Types – Authenticated (Contributor+) Stored Cross-Site Scripting via EmbedPress PDF Widget – CVE-2024-2128 | WordPress Plugin Vulnerability Report

Plugin Name: EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor

Key Information:

  • Software Type: Plugin
  • Software Slug: embedpress
  • Software Status: Active
  • Software Author: wpdevteam
  • Software Downloads: 2,279,058
  • Active Installs: 90,000
  • Last Updated: March 12, 2024
  • Patched Versions: 3.9.11
  • Affected Versions: <= 3.9.10

Vulnerability Details:

  • Name: EmbedPress <= 3.9.10 - Authenticated Stored Cross-Site Scripting via PDF Widget
  • Title: Vulnerability in EmbedPress PDF Widget
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-2128
  • CVSS Score: 6.4
  • Publicly Published: March 7, 2024
  • Researcher: Wesley
  • Description: EmbedPress, a plugin that enhances WordPress sites by enabling the embedding of various content types, has a vulnerability in its PDF widget. This flaw allows authenticated users with at least contributor permissions to execute Stored Cross-Site Scripting (XSS) attacks by injecting malicious scripts into web pages via insufficiently sanitized and escaped user-supplied attributes.


The flexibility of the EmbedPress plugin in embedding diverse content types directly into WordPress sites has made it a popular tool among site administrators. However, a critical vulnerability identified in versions up to 3.9.10 compromises this utility by opening doors to potential security breaches. Thankfully, the issue has been resolved in the recently released version 3.9.11, reinforcing the plugin's security framework and ensuring its safe use on WordPress sites.

Detailed Overview:

Discovered by the security researcher Wesley, the vulnerability within the EmbedPress plugin underscores the vital importance of thorough input validation and output encoding in software development, especially in plugins that interact extensively with external content sources. The capacity for XSS attacks poses significant risks, including unauthorized access, data manipulation, and the distribution of malicious content, thereby endangering both site integrity and user trust. The prompt issuance of a patch by the plugin's developers underscores their commitment to user security and the plugin's reliability.

Advice for Users:

  • Immediate Action: Users should immediately upgrade their EmbedPress plugin to version 3.9.11 through the WordPress dashboard to safeguard against this vulnerability. Ensuring that your installation is up-to-date is crucial in maintaining site security.
  • Check for Signs of Vulnerability: Regularly inspect your website for unexpected or suspicious behavior, particularly in areas where embedded content is displayed, as this might indicate exploitation of the vulnerability.
  • Alternate Plugins: While the patched version addresses this specific issue, exploring alternative embedding plugins could provide additional features or security benefits, depending on your site's needs.
  • Stay Updated: Consistently keeping all site components, including themes, plugins, and the WordPress core, updated is essential in protecting against known vulnerabilities and enhancing site performance.


The identification and resolution of CVE-2024-2128 within the EmbedPress plugin serve as a critical reminder of the ongoing cybersecurity threats in the digital realm. For WordPress site administrators, particularly those managing small businesses or personal blogs with limited IT resources, recognizing the importance of regular updates and cybersecurity best practices is paramount. Proactively securing digital assets ensures not only the operational integrity of online platforms but also the preservation of user confidence and trust.


Navigating the Digital Landscape: The Crucial Balance Between Functionality and Security

In the realm of WordPress, plugins like EmbedPress have transformed the way we integrate diverse content into our websites, offering unparalleled ease and efficiency. EmbedPress, with its robust capabilities for embedding PDFs, Google Docs, Vimeo videos, YouTube content, and more, has become an indispensable tool for over 90,000 websites. Yet, the discovery of CVE-2024-2128 casts a spotlight on the delicate equilibrium between the added functionality of plugins and the imperative of maintaining digital security.

Unveiling the Vulnerability: CVE-2024-2128

CVE-2024-2128 presents a significant challenge, identified within the EmbedPress PDF widget, affecting versions up to 3.9.10. This vulnerability arises from insufficient input sanitization and output escaping, permitting authenticated users with contributor-level access to launch Stored Cross-Site Scripting (XSS) attacks. Such attacks could lead to the execution of arbitrary web scripts, potentially compromising site security and endangering user data.

The Implications of CVE-2024-2128

The impact of CVE-2024-2128 extends beyond mere technical glitches, posing tangible threats to website integrity and user trust. The ability for malicious scripts to be injected and executed within a site can lead to unauthorized access, data breaches, and a host of other security concerns, underscoring the critical nature of this vulnerability.

Addressing the Threat: Remediation and Updates

In response to the discovery of CVE-2024-2128 by security researcher Wesley on March 7, 2024, the wpdevteam acted swiftly to release a patched version of the plugin, 3.9.11, effectively neutralizing the threat posed by this vulnerability. This prompt action underscores the developers' dedication to user safety and the reliability of their plugin.

Best Practices for Users: Vigilance and Proactivity

For WordPress site administrators, especially those managing small business websites with constrained IT resources, the emergence of CVE-2024-2128 serves as a vital reminder of the importance of vigilance in plugin management. Regular updates are not merely routine maintenance; they are essential measures to safeguard against known vulnerabilities, ensuring the security and performance of your site.

The Ongoing Battle Against Digital Threats

The landscape of digital security is fraught with challenges, yet armed with knowledge and a proactive approach to updates, WordPress site owners can navigate this terrain with confidence. Regularly updating plugins like EmbedPress is not just about accessing new features; it's a critical defense strategy against the ever-evolving threats in the digital realm. For small business owners, this commitment to digital upkeep is paramount, ensuring the safety, integrity, and trustworthiness of their online presence in an increasingly complex digital ecosystem.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

EmbedPress – Embed Various Content Types – Authenticated (Contributor+) Stored Cross-Site Scripting via EmbedPress PDF Widget – CVE-2024-2128 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment