WordPress Plugin Vulnerabilities

EmbedPress – Embed PDF, 3D Flipbook, Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Audios, Google Maps in Gutenberg Block & Elementor < 4.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'provider_name'

Description

The EmbedPress – Embed PDF, 3D Flipbook, Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Audios, Google Maps in Gutenberg Block & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘provider_name parameter in all versions up to, and including, 4.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
embedpress
Fixed in 4.1.4

References

CVE
CVE-2024-11203
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/167dedfa-36cc-4b01-8ea4-8eda8742953c

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Max Boll (_b0lli)
Verified
No
WPVDB ID
91529f39-5792-4fcf-8eac-09437299ea06

Timeline

Publicly Published
2024-11-27 (about 1 year ago)
Added
2024-11-27 (about 1 year ago)
Last Updated
2024-11-28 (about 1 year ago)

Other

Published
Title
Published
2025-05-02
Title
VerticalResponse Newsletter Widget <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-05-09
Title
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) < 1.5.103 - Reflected Cross-Site Scripting
Published
2025-03-06
Title
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin < 1.6.8.5 - Reflected Cross-Site Scripting
Published
2023-09-26
Title
Restrict < 2.2.5 - Reflected XSS
Published
2022-10-28
Title
Slideshow SE < 2.5.6 - Author+ Stored XSS