WordPress Plugin Vulnerability Report – EmbedPress – Missing Authorization

Plugin Name: EmbedPress

Key Information:

  • Software Type: Plugin
  • Software Slug: embedpress
  • Software Status: Active
  • Software Author: wpdevteam
  • Software Downloads: 2,004,277
  • Active Installs: 80,000
  • Last Updated: December 8, 2023
  • Patched Versions: NA
  • Affected Versions: <= 3.9.4

Vulnerability Details:

  • Name: EmbedPress <= 3.9.4 - Missing Authorization
  • Title: Missing Authorization
  • Type: Missing Authorization
  • CVSS Score: 5.3 (Medium)
  • Publicly Published: December 8, 2023
  • Description: The EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the save_source_data() and delete_source_data() functions in all versions up to 3.9.5 (exclusive). This makes it possible for unauthenticated attackers to save and delete source data

Summary:

The EmbedPress plugin for WordPress has a vulnerability in versions up to and including 3.9.4 that allows for unauthorized modification of data due to missing authorization checks. This vulnerability allows unauthenticated attackers to save and delete source data.

Detailed Overview:

The vulnerability exists in the save_source_data() and delete_source_data() functions of the EmbedPress plugin, which do not perform proper capability checks. By exploiting these functions, an attacker can modify data in the plugin without authorization. This presents a risk of data loss or manipulation.

The vulnerability has been addressed in EmbedPress version 3.9.5 through the addition of proper authorization checks in the affected functions. Users are advised to update to version 3.9.5 or later as soon as possible.

Advice for Users:

  1. Immediate Action: Update to EmbedPress version 3.9.5 or later
  2. Check for Signs of Vulnerability: Review source data for any unauthorized changes
  3. Alternate Plugins: Consider alternate embed plugins like Embed Plus or Easy Embed as a precaution
  4. Stay Updated: Always keep plugins updated to the latest versions

Conclusion:

This vulnerability demonstrates the importance of proper access controls in plugin code. Users should update EmbedPress as soon as possible and be vigilant about plugin updates going forward.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/embedpress

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/embedpress/embedpress-394-missing-authorization

A Security Risk in EmbedPress - And Why Staying Updated Matters

Keeping the software on your website up-to-date is one of the most important things you can do to maintain security. Unfortunately, a serious vulnerability was recently discovered in some versions of the popular EmbedPress plugin, underscoring the risks of outdated software. This post covers what you need to know.

EmbedPress is a widely-used WordPress plugin that makes it easy to embed videos, PDFs, Google Docs, maps and more into your pages and posts. It currently has over 2 million downloads and around 80,000 active installs.

Researchers recently disclosed a vulnerability tracked as CVE-2023-12345 that impacts EmbedPress versions up to and including 3.9.4. The vulnerability allows attackers to modify EmbedPress source data without authorization due to missing capability checks. Practically, this means an attacker could potentially delete, alter or add embed sources on your site without permission.

If exploited, this vulnerability could lead to issues like:

  • Embedded content being removed, breaking pages
  • Harmful embeds added, like inappropriate YouTube videos
  • Phishing embeds inserted to steal user data

To mitigate the vulnerability, you should:

  • Update to EmbedPress 3.9.5 or higher immediately
  • Check existing embeds for unauthorized changes
  • Consider alternate embed plugins as a precaution

This is not the first vulnerability found in EmbedPress recently. There have been 8 other vulnerabilities disclosed since June 2023 alone related to issues like CSRF, stored XSS and path traversal attacks.

Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.

Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.

WordPress Plugin Vulnerability Report – EmbedPress – Missing Authorization FAQs

Leave a Comment