WordPress Plugin Vulnerability Report: EmbedPress – Cross-Site Request Forgery

Plugin Name: EmbedPress

Key Information:

  • Software Type: Plugin
  • Software Slug: embedpress
  • Software Status: Active
  • Software Author: wpdevteam
  • Software Downloads: 1,709,151
  • Active Installs: 80,000
  • Last Updated: September 8, 2023
  • Patched Versions: 3.8.4
  • Affected Versions: <3.8.4

Vulnerability Details:

  • Name: EmbedPress <= 3.8.3 - Cross-Site Request Forgery
  • Type: Cross-Site Request Forgery (CSRF)
  • CVSS Score: 4.3 (Medium)
  • Publicly Published: September 7, 2023
  • Description: The EmbedPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.8.3 due to missing nonce validation on the clicked() function.


The EmbedPress plugin for WordPress has a vulnerability in versions up to and including 3.8.3 that allows for Cross-Site Request Forgery (CSRF) attacks due to missing nonce validation on the clicked() function. This vulnerability has been patched in version 3.8.4.

Detailed Overview:

This vulnerability was publicly disclosed on September 7, 2023, and it affects versions of the plugin up to 3.8.3. The vulnerability resides in the absence of nonce validation on the clicked() function. This omission allows for unauthenticated attackers to trigger notice clicks via a forged request, provided they can trick a site administrator into performing actions like clicking on a link.

The CVSS Score for this vulnerability is 4.3, making it a medium-level security risk. This risk might not seem severe, but it could still have negative repercussions if not promptly addressed. The vulnerability has already been patched in version 3.8.4.

Advice for Users:

Immediate Action: It's strongly advised that users update their plugin to version 3.8.4 to mitigate the risks associated with this vulnerability.
Check for Signs of Vulnerability: Review your WordPress logs and user activity to identify any suspicious behavior, which may indicate that the vulnerability has been exploited.
Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.


The prompt response from wpdevteam to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 3.8.4 or later to secure their WordPress installations.


Detailed Report

Keeping your WordPress site secure should be a top priority, but it can be difficult to stay on top of vulnerabilities in plugins and themes. Unfortunately, a medium severity vulnerability was recently disclosed in the popular EmbedPress plugin that you need to address promptly.

EmbedPress is a widely used plugin with over 1.7 million downloads. It allows you to easily embed PDFs, videos, audio, documents, and more into WordPress pages and posts. Versions up to and including 3.8.3 contain a vulnerability that was publicly disclosed on September 7, 2023.

This vulnerability allows for unauthenticated Cross-Site Request Forgery (CSRF) attacks due to missing nonce validation on the clicked() function. In simpler terms, this means an attacker could potentially trick you into clicking a malicious link that activates unwanted actions on your site.

While this vulnerability has a CVSS severity score of only 4.3 (medium), the implications could still be serious. A successful CSRF attack could allow takeover of your admin account, content injection, or other threats. You should not wait to patch this on your site.

The good news is that the developer has already issued EmbedPress version 3.8.4 which contains the fix. To secure your site, simply update to the latest version. You can do this manually via the plugin dashboard or use an automated update plugin.

This is not the first vulnerability found in EmbedPress. There have been multiple other issues disclosed in 2022 and 2023 that also required updates. Staying on top of plugin security can be challenging for busy business owners, but is extremely important.

Keeping your plugins, themes, and WordPress core updated in a timely manner is the best way to reduce your exposure to emerging threats. Consider enabling automatic background updates or schedule regular reminders to manually check for updates. Your website's security is worth the small time investment.

Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.

Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.

WordPress Plugin Vulnerability Report: EmbedPress – Cross-Site Request Forgery FAQs

Leave a Comment