WordPress Plugin Vulnerabilities

EmbedSocial – Social Media Feeds, Reviews and Galleries < 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The EmbedSocial – Social Media Feeds, Reviews and Galleries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'embedsocial_reviews' shortcode in all versions up to, and including, 1.1.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
embedalbum-pro
Fixed in 1.2.1

References

CVE
CVE-2024-3984
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6593b0de-db7a-4b7e-bd74-cc2b1e36ac60

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Verified
No
WPVDB ID
50277ab2-cfb1-4f03-a389-d2b42071175c

Timeline

Publicly Published
2024-06-18 (about 1 year ago)
Added
2024-06-18 (about 1 year ago)
Last Updated
2024-07-02 (about 1 year ago)

Other

Published
Title
Published
2023-01-12
Title
Annual Archive < 1.6.0 - Contributor+ Stored XSS
Published
2025-08-25
Title
Add Code To Head <= 1.17 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-06-03
Title
SEOPress < 7.8 - Contributor+ Stored XSS
Published
2014-08-01
Title
Wp-UserOnline < 2.70 - Stored Cross-Site Scripting (XSS)
Published
2025-07-16
Title
JetTricks < 1.5.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting