🧹It's time for some spring cleaning! All researchers earn over 6.25x our normal bounty rates, through May 27th, 2024, when Wordfence handles responsible disclosure for our Spring Cleaning Bug Extravaganza! Learn more about our bug bounty program
Register as a researcher and submit your vulnerabilities today!

EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor

Wordfence Intelligence > Vulnerability Database > WordPress Plugins > EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor

Information

Software Type	Plugin
Software Slug	embedpress (view on wordpress.org)
Software Status	Active
Software Author	wpdevteam
Software Website	embedpress.com
Software Downloads	2,555,145
Software Active Installs	90,000
Software Record Last Updated	May 19, 2024

20 Vulnerabilities

EmbedPress <= 3.8.3 - Cross-Site Request Forgery

4.3

CVE-2023-51375

Sep 7, 2023

Researcher: Abdi Pranata

EmbedPress <= 3.9.11 - Missing Authorization

5.3

CVE-2024-31274

Apr 5, 2024

Researcher: Mika

EmbedPress <= 3.9.8 - Missing Authorization via handle_calendly_data

5.3

CVE-2024-31284

Apr 5, 2024

Researcher: Majed Refaea

EmbedPress <= 3.9.4 - Missing Authorization

5.3

CVE ID Unknown

Dec 8, 2023

Researchers:

EmbedPress <= 3.7.3 - Sensitive Information Exposure

5.3

CVE-2023-3371

Jun 26, 2023

Researcher: István Márton

EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.12 - Authenticated (Contributor+) Stored Cross-site Scripting via 'embedpress_doc_custom_color'

5.4

CVE-2024-2688

Mar 22, 2024

Researchers: Ngô Thiên An (ancorn_), ST

EmbedPress <= 3.8.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Delete via admin_post_remove and remove_private_data

5.4

CVE-2023-4282

Aug 9, 2023

Researcher: István Márton

EmbedPress <= 3.9.1 - Reflected Cross-Site Scripting

6.1

CVE-2023-5750

Nov 17, 2023

Researcher: Erwan LR

EmbedPress <= 3.9.1 - Reflected Cross-Site Scripting

6.1

CVE-2023-5749

Nov 17, 2023

Researcher: Krzysztof Zając

Freemius SDK <= 2.5.9 - Reflected Cross-Site Scripting via fs_request_get

6.1

CVE-2023-33999

Jul 18, 2023

Researcher: Rafie Muhammad

EmbedPress Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

6.4

CVE-2024-4316

May 9, 2024

Researcher: stealthcopter

EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2024-3244

Apr 5, 2024

Researcher: wesley (wcraft)

6.4

CVE-2024-3245

Apr 5, 2024

Researcher: João Pedro Soares de Alcântara

EmbedPress <= 3.9.12 - Authenticated(Contributor+) Stored Cross-Site Scripting via Widget Attribute

6.4

CVE-2024-2468

Mar 22, 2024

Researcher: wesley (wcraft)

EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via EmbedPress PDF Widget

6.4

CVE-2024-2128

Mar 7, 2024

Researcher: wesley (wcraft)

6.4

CVE-2024-1802

Mar 7, 2024

Researchers: Ngô Thiên An (ancorn_), Dau Hoang Tai

EmbedPress <= 3.9.8 - Authenticated(Contributor+) Stored Cross-Site Scripting via Google Calendar Widget Link

6.4

CVE-2024-1425

Feb 14, 2024

Researcher: wesley (wcraft)

EmbedPress <= 3.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2024-1349

Feb 14, 2024

Researcher: Richard Telleng (stueotue)

EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor <= 3.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-6986

Jan 2, 2024

Researcher: Ngô Thiên An (ancorn_)

EmbedPress <= 3.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-4283

Aug 9, 2023

Researcher: István Márton

Title	Status	CVE ID	CVSS	Researchers	Date
EmbedPress <= 3.8.3 - Cross-Site Request Forgery	Patched	CVE-2023-51375	4.3	Abdi Pranata	September 7, 2023
EmbedPress <= 3.9.11 - Missing Authorization	Patched	CVE-2024-31274	5.3	Mika	April 5, 2024
EmbedPress <= 3.9.8 - Missing Authorization via handle_calendly_data	Patched	CVE-2024-31284	5.3	Majed Refaea	April 5, 2024
EmbedPress <= 3.9.4 - Missing Authorization	Patched		5.3		December 8, 2023
EmbedPress <= 3.7.3 - Sensitive Information Exposure	Patched	CVE-2023-3371	5.3	István Márton	June 26, 2023
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.12 - Authenticated (Contributor+) Stored Cross-site Scripting via 'embedpress_doc_custom_color'	Patched	CVE-2024-2688	5.4	Ngô Thiên An (ancorn_), ST	March 22, 2024
EmbedPress <= 3.8.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Delete via admin_post_remove and remove_private_data	Patched	CVE-2023-4282	5.4	István Márton	August 9, 2023
EmbedPress <= 3.9.1 - Reflected Cross-Site Scripting	Patched	CVE-2023-5750	6.1	Erwan LR	November 17, 2023
EmbedPress <= 3.9.1 - Reflected Cross-Site Scripting	Patched	CVE-2023-5749	6.1	Krzysztof Zając	November 17, 2023
Freemius SDK <= 2.5.9 - Reflected Cross-Site Scripting via fs_request_get	Patched	CVE-2023-33999	6.1	Rafie Muhammad	July 18, 2023
EmbedPress Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter	Patched	CVE-2024-4316	6.4	stealthcopter	May 9, 2024
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	Patched	CVE-2024-3244	6.4	wesley (wcraft)	April 5, 2024
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Youtube Block	Patched	CVE-2024-3245	6.4	João Pedro Soares de Alcântara	April 5, 2024
EmbedPress <= 3.9.12 - Authenticated(Contributor+) Stored Cross-Site Scripting via Widget Attribute	Patched	CVE-2024-2468	6.4	wesley (wcraft)	March 22, 2024
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via EmbedPress PDF Widget	Patched	CVE-2024-2128	6.4	wesley (wcraft)	March 7, 2024
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Wistia Block	Patched	CVE-2024-1802	6.4	Ngô Thiên An (ancorn_), Dau Hoang Tai	March 7, 2024
EmbedPress <= 3.9.8 - Authenticated(Contributor+) Stored Cross-Site Scripting via Google Calendar Widget Link	Patched	CVE-2024-1425	6.4	wesley (wcraft)	February 14, 2024
EmbedPress <= 3.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	Patched	CVE-2024-1349	6.4	Richard Telleng (stueotue)	February 14, 2024
EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor <= 3.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	Patched	CVE-2023-6986	6.4	Ngô Thiên An (ancorn_)	January 2, 2024
EmbedPress <= 3.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	Patched	CVE-2023-4283	6.4	István Márton	August 9, 2023

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation