EmbedPress Vulnerability – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-3244 & CVE-2024-3245 | WordPress Plugin Vulnerability Report
Plugin Name: EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor
Key Information:
- Software Type: Plugin
- Software Slug: embedpress
- Software Status: Active
- Software Author: wpdevteam
- Software Downloads: 2,444,164
- Active Installs: 90,000
- Last Updated: April 10, 2024
- Patched Versions: 3.9.15
- Affected Versions: <= 3.9.14
Vulnerability Details:
1. Vulnerability:
- Name: EmbedPress <= 3.9.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
- CVE: CVE-2024-3244
- CVSS Score: 6.4
- Researcher: Wesley
2. Vulnerability:
- Name: EmbedPress <= 3.9.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Youtube Block
- CVE: CVE-2024-3245
- CVSS Score: 6.4
- Researcher: João Pedro Soares de Alcântara - Kinorth
Description:
The EmbedPress plugin, a versatile tool for embedding various media types into WordPress sites, has been identified to contain two significant vulnerabilities in versions up to and including 3.9.14. These vulnerabilities, CVE-2024-3244 and CVE-2024-3245, stem from insufficient input sanitization and output escaping, allowing authenticated attackers with contributor-level access or higher to inject harmful scripts via the 'embedpress_calendar' shortcode and the plugin's Youtube block. These scripts can execute malicious actions whenever a user accesses an injected page, posing a risk to website security.
Summary:
The EmbedPress plugin for WordPress, popular for its wide range of embedding capabilities, has encountered two critical vulnerabilities in versions up to 3.9.14. These vulnerabilities, due to lax security measures, could enable attackers to perform stored cross-site scripting attacks. Thankfully, these issues have been resolved in the updated version 3.9.15.
Detailed Overview:
The vulnerabilities were discovered by researchers Wesley and João Pedro Soares de Alcântara - Kinorth, who noted the plugin's shortcomings in handling user-supplied attributes within the 'embedpress_calendar' shortcode and Youtube block. Such vulnerabilities are particularly concerning as they can lead to unauthorized access and data manipulation, underscoring the importance of rigorous security practices in plugin development. The patch in version 3.9.15 addresses these issues, reinforcing the plugin's defenses against such attacks.
Advice for Users:
- Immediate Action: Update the EmbedPress plugin to version 3.9.15 without delay to protect your site from potential exploits related to these vulnerabilities.
- Check for Signs of Vulnerability: Monitor your website for unusual activities or unauthorized content alterations, which might indicate that your site has been compromised.
- Alternate Plugins: While the patched version rectifies these vulnerabilities, exploring other reputable embedding plugins could provide additional security and functionality.
- Stay Updated: Regularly updating your WordPress plugins is crucial for maintaining a secure and functional website. Always ensure you are using the latest versions to benefit from security patches and feature enhancements.
Conclusion:
The swift resolution of vulnerabilities CVE-2024-3244 and CVE-2024-3245 in the EmbedPress plugin highlights the critical role of ongoing vigilance and prompt updates in the digital security landscape. Users of the plugin are encouraged to update to version 3.9.15 or later to safeguard their WordPress sites against these and other potential threats, ensuring a secure and reliable online experience for both site administrators and visitors.
References: