WordPress Plugin Vulnerability Report – EmbedPress – Draft Vulnerability

Plugin Name: EmbedPress

Key Information:

  • Software Type: Plugin
  • Software Slug: embedpress
  • Software Status: Active
  • Software Author: wpdevteam
  • Software Downloads: 1,889,041
  • Active Installs: 80,000
  • Last Updated: November 17, 2023
  • Patched Versions: 3.9.2
  • Affected Versions: <= 3.9.1

Vulnerability Details:

  • Name: Draft Vulnerability for EmbedPress 3.9.2
  • Title: Draft Vulnerability
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVSS Score: 6.1 (Medium)
  • Publicly Published: November 17, 2023
  • Description: The EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the hash parameter in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.


The EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor plugin for WordPress has a reflected cross-site scripting vulnerability in versions up to and including 3.9.1 that could allow unauthenticated attackers to inject malicious scripts. This vulnerability has been patched in version 3.9.2.

Detailed Overview:

A security researcher discovered a reflected cross-site scripting vulnerability in the EmbedPress plugin that stems from insufficient sanitization of the hash URL parameter. By crafting malicious links with embedded JavaScript and tricking users into clicking on them, attackers could execute arbitrary scripts in a victim's browser within the security context of the affected site. This could be used for a range of malicious purposes such as session hijacking, site defacement, or phishing. The vulnerability is rated medium severity with a CVSS score of 6.1. It affects EmbedPress versions up to and including 3.9.1. The developer has addressed the issue promptly by releasing version 3.9.2 with proper input validation and output encoding to neutralize the threat from cross-site scripting.

Advice for Users:

  1. Immediate Action: Update to the latest EmbedPress version 3.9.2 as soon as possible.
  2. Check for Signs of Compromise: Review your site for any unauthorized code changes or strange behaviors that could indicate malicious scripts were injected. Also check web server logs.
  3. Alternate Plugins: Consider using alternate plugins like Embed Plus YouTube Gallery & Lightbox as a precaution.
  4. Stay Updated: Follow the developer blog and WordPress forums related to EmbedPress to ensure you are always running the latest version.


The timely patch from the developers addresses this medium risk vulnerability. Users should promptly update to EmbedPress version 3.9.2 or above to ensure their sites are not vulnerable to cross-site scripting attacks.




Detailed Report:

Keeping your WordPress website secure requires constant vigilance - a lesson underscored by the recent discovery of a critical vulnerability in the popular EmbedPress plugin. With over 80,000 active installs, thousands of sites are at risk of compromise unless urgent action is taken.

About the Vulnerable Plugin

EmbedPress is a widely used plugin with over 1.8 million downloads that allows embedding of PDFs, videos, audios, maps and other external content into WordPress sites using Gutenberg and Elementor page builders. It is actively maintained by WPDevTeam and the current version prior to the security patch was 3.9.1.

Details of the Vulnerability

Researchers discovered a severe reflected cross-site scripting vulnerability in EmbedPress versions up to and including 3.9.1. The flaw stems from insufficient sanitization of user input from the URL hash parameter. This could allow unauthenticated remote attackers to inject arbitrary malicious JavaScript code into vulnerable pages by tricking users into clicking specially crafted links.

If exploited, this could lead to account hijacking, data theft, UI defacement and other dangers. The vulnerability is rated as medium severity with a CVSS base score of 6.1.

Risks and Potential Impact

This vulnerability opens the door for serious compromise of WordPress sites running vulnerable EmbedPress versions. Cross-site scripting has been used by hackers to steal admin passwords, inject hidden redirects, capture sensitive information entered by users and deface sites.

Left unpatched, your website is exposed to the whims of attackers who could leverage the flaw to inject malicious code into your pages and wreak havoc.

How to Update and Remediate

The good news is that the developer has promptly released EmbedPress version 3.9.2 to address the issue by adding proper input validation and output encoding.

To secure your website, you should update to the latest fixed release as soon as possible. You can do this automatically via the WordPress admin dashboard. Click Plugins > Installed Plugins, then click Update next to EmbedPress.

After updating, monitor your site closely for any suspicious activities that could indicate past compromise. Also consider switching to alternate plugins like Embed Plus as a precaution.

Past Vulnerabilities

This is not the first vulnerability uncovered in EmbedPress. There have been 5 other security flaws reported since June 2023 itself. This underscores the criticality of staying up-to-date with releases.

Staying Secure

As a WordPress site owner, you may not have the bandwidth to stay on top of every vulnerability report and security release. But letting plugins and themes fall behind puts your website at serious risk of compromise. Invest the effort to update core WordPress as well as all plugins and themes on a regular basis.

Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.

Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.

WordPress Plugin Vulnerability Report – EmbedPress – Draft Vulnerability FAQs

Leave a Comment