EmbedPress Vulnerability – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-3244 & CVE-2024-3245 | WordPress Plugin Vulnerability Report

Plugin Name: EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor

Key Information:

  • Software Type: Plugin
  • Software Slug: embedpress
  • Software Status: Active
  • Software Author: wpdevteam
  • Software Downloads: 2,444,164
  • Active Installs: 90,000
  • Last Updated: April 10, 2024
  • Patched Versions: 3.9.15
  • Affected Versions: <= 3.9.14

Vulnerability Details:

1. Vulnerability:

  • Name: EmbedPress <= 3.9.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
  • CVE: CVE-2024-3244
  • CVSS Score: 6.4
  • Researcher: Wesley

2. Vulnerability:

  • Name: EmbedPress <= 3.9.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Youtube Block
  • CVE: CVE-2024-3245
  • CVSS Score: 6.4
  • Researcher: João Pedro Soares de Alcântara - Kinorth

Description:

The EmbedPress plugin, a versatile tool for embedding various media types into WordPress sites, has been identified to contain two significant vulnerabilities in versions up to and including 3.9.14. These vulnerabilities, CVE-2024-3244 and CVE-2024-3245, stem from insufficient input sanitization and output escaping, allowing authenticated attackers with contributor-level access or higher to inject harmful scripts via the 'embedpress_calendar' shortcode and the plugin's Youtube block. These scripts can execute malicious actions whenever a user accesses an injected page, posing a risk to website security.

Summary:

The EmbedPress plugin for WordPress, popular for its wide range of embedding capabilities, has encountered two critical vulnerabilities in versions up to 3.9.14. These vulnerabilities, due to lax security measures, could enable attackers to perform stored cross-site scripting attacks. Thankfully, these issues have been resolved in the updated version 3.9.15.

Detailed Overview:

The vulnerabilities were discovered by researchers Wesley and João Pedro Soares de Alcântara - Kinorth, who noted the plugin's shortcomings in handling user-supplied attributes within the 'embedpress_calendar' shortcode and Youtube block. Such vulnerabilities are particularly concerning as they can lead to unauthorized access and data manipulation, underscoring the importance of rigorous security practices in plugin development. The patch in version 3.9.15 addresses these issues, reinforcing the plugin's defenses against such attacks.

Advice for Users:

  • Immediate Action: Update the EmbedPress plugin to version 3.9.15 without delay to protect your site from potential exploits related to these vulnerabilities.
  • Check for Signs of Vulnerability: Monitor your website for unusual activities or unauthorized content alterations, which might indicate that your site has been compromised.
  • Alternate Plugins: While the patched version rectifies these vulnerabilities, exploring other reputable embedding plugins could provide additional security and functionality.
  • Stay Updated: Regularly updating your WordPress plugins is crucial for maintaining a secure and functional website. Always ensure you are using the latest versions to benefit from security patches and feature enhancements.

Conclusion:

The swift resolution of vulnerabilities CVE-2024-3244 and CVE-2024-3245 in the EmbedPress plugin highlights the critical role of ongoing vigilance and prompt updates in the digital security landscape. Users of the plugin are encouraged to update to version 3.9.15 or later to safeguard their WordPress sites against these and other potential threats, ensuring a secure and reliable online experience for both site administrators and visitors.

References:

Detailed Report: 

In the digital age, where WordPress powers a significant portion of the web, plugins like EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor, play a crucial role in enriching websites with diverse content. However, the recent discovery of vulnerabilities CVE-2024-3244 and CVE-2024-3245 in this widely-used plugin underscores a vital aspect of website management: the constant vigilance required to maintain security.

About the Plugin:

EmbedPress allows WordPress users to seamlessly integrate various media types into their sites, from PDFs and Google Docs to videos from platforms like Vimeo and YouTube. With over 2.4 million downloads and 90,000 active installations, its impact is undeniable. Developed by wpdevteam, the plugin has been a staple for content-rich websites seeking to offer engaging user experiences.

Vulnerability Details:

Two significant security flaws were identified in versions up to 3.9.14 of EmbedPress:

  1. CVE-2024-3244, discovered by researcher Wesley, involves stored cross-site scripting via the plugin's 'embedpress_calendar' shortcode.
  2. CVE-2024-3245, identified by João Pedro Soares de Alcântara - Kinorth, similarly allows stored cross-site scripting but through the plugin's YouTube block.

Both vulnerabilities arise from insufficient input sanitization and output escaping, permitting attackers with contributor-level access to inject malicious scripts.

Risks and Potential Impacts:

The exploitation of these vulnerabilities could lead to unauthorized access, data leaks, or manipulation, posing a significant threat to website security. Given the plugin's widespread use, the potential for impact is vast, affecting a diverse range of sites and compromising the trust of countless users.

Remediation:

In response to these vulnerabilities, the developers released an updated version, 3.9.15, which addresses and patches these security gaps. Users are urged to update their EmbedPress plugin immediately to this latest version to safeguard their sites.

Previous Vulnerabilities:

This isn't the first time vulnerabilities have been discovered in EmbedPress. With 15 previous vulnerabilities reported since June 26, 2023, the plugin's security history highlights the ongoing challenge of maintaining secure software in a constantly evolving threat landscape.

For small business owners managing their WordPress sites, the discovery of these vulnerabilities in a popular plugin like EmbedPress serves as a critical reminder of the importance of regular software updates and security monitoring. Staying informed about potential vulnerabilities and acting promptly to apply available patches is essential for protecting your online presence against emerging threats. In a world where time and resources may be limited, considering automated security solutions or partnering with cybersecurity experts can provide peace of mind, ensuring that your site remains secure, reliable, and trustworthy for your users.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

EmbedPress Vulnerability – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-3244 & CVE-2024-3245 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment