EmbedPress < 4.0.5 – Missing Authorization | CVE 2024-38707 | Plugin Vulnerabilities

Description

The EmbedPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions like get_instagram_userdata_ajax, sync_instagram_data_ajax, and delete_instagram_account in versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify Instagram settings.

Affects Plugins

Fixed in 4.0.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f507cec5-d66c-4cb0-8c35-a985aaee1283

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

No

WPVDB ID

3300fd33-de42-4ab3-8674-81594b1f6444

Timeline

Publicly Published

2024-07-11 (about 1 year ago)

Added

2024-07-17 (about 1 year ago)

Last Updated

2024-07-17 (about 1 year ago)

Other

Published

Title

Published

2026-01-30

Title

Booking Calendar < 10.14.14 - Missing Authorization to Unauthenticated Booking Details Exposure

Published

2025-06-05

Title

Ultimate WP Mail < 1.3.6 - Missing Authorization

Published

2024-04-09

Title

WP Radio – Worldwide Online Radio Stations Directory for WordPress <= 3.1.9 - Missing Authorization via multiple AJAX actions

Published

2025-01-24

Title

Admin and Site Enhancements (ASE) Pro < 7.6.3 - Missing Authorization

Published

2025-12-31

Title

Signature Add-On for Gravity Forms < 1.8.7 - Missing Authorization