🦸 Calling all superheroes! Introducing the WordPress Superhero Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities! Through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200. Check out the updated bounties here!

EmbedPress – Embed PDF, 3D Flipbook, Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Audios, Google Maps in Gutenberg Block & Elementor

Wordfence Intelligence > Vulnerability Database > WordPress Plugins > EmbedPress – Embed PDF, 3D Flipbook, Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Audios, Google Maps in Gutenberg Block & Elementor

Information

Software Type	Plugin
Software Slug	embedpress (view on wordpress.org)
Software Status	Active
Software Author	wpdevteam
Software Website	embedpress.com
Software Downloads	3,199,565
Software Active Installs	100,000
Software Record Last Updated	September 18, 2024

Showing 1-20 of 27 Vulnerabilities

Submit a Vulnerability

EmbedPress <= 4.0.9 - Unauthenticated Local File Inclusion

9.8

CVE-2024-43328

Aug 16, 2024

Researcher: Rafie Muhammad

EmbedPress <= 4.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-43936

Aug 26, 2024

Researcher: João Pedro Soares de Alcântara

EmbedPress <= 3.9.10 - Authenticated(Contributor+) Stored Cross-Site Scripting via PDF Widget URL

6.4

CVE-2024-1565

Jun 12, 2024

Researcher: RandomRoot

EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via EmbedPress PDF Widget

6.4

CVE-2024-5571

Jun 4, 2024

Researcher: wesley (wcraft)

PDF.js < 4.2.67 - Arbitrary JavaScript Execution

6.4

CVE-2024-4367

May 20, 2024

Researchers: Colin Xu, James Myers (ConfidenceRemainsHigh), Codean Labs

EmbedPress Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

6.4

CVE-2024-4316

May 9, 2024

Researcher: stealthcopter

EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2024-3244

Apr 5, 2024

Researcher: wesley (wcraft)

6.4

CVE-2024-3245

Apr 5, 2024

Researcher: João Pedro Soares de Alcântara

EmbedPress <= 3.9.12 - Authenticated(Contributor+) Stored Cross-Site Scripting via Widget Attribute

6.4

CVE-2024-2468

Mar 22, 2024

Researcher: wesley (wcraft)

EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via EmbedPress PDF Widget

6.4

CVE-2024-2128

Mar 7, 2024

Researcher: wesley (wcraft)

6.4

CVE-2024-1802

Mar 7, 2024

Researchers: Ngô Thiên An (ancorn_), Dau Hoang Tai

EmbedPress <= 3.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2024-1349

Feb 14, 2024

Researcher: Richard Telleng (stueotue)

EmbedPress <= 3.9.8 - Authenticated(Contributor+) Stored Cross-Site Scripting via Google Calendar Widget Link

6.4

CVE-2024-1425

Feb 14, 2024

Researcher: wesley (wcraft)

EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor <= 3.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-6986

Jan 2, 2024

Researcher: Ngô Thiên An (ancorn_)

EmbedPress <= 3.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-4283

Aug 9, 2023

Researcher: István Márton

EmbedPress <= 3.9.1 - Reflected Cross-Site Scripting

6.1

CVE-2023-5750

Nov 17, 2023

Researcher: Erwan LR

EmbedPress <= 3.9.1 - Reflected Cross-Site Scripting

6.1

CVE-2023-5749

Nov 17, 2023

Researcher: Krzysztof Zając

Freemius SDK <= 2.5.9 - Reflected Cross-Site Scripting via fs_request_get

6.1

CVE-2023-33999

Jul 18, 2023

Researcher: Rafie Muhammad

EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.12 - Authenticated (Contributor+) Stored Cross-site Scripting via 'embedpress_doc_custom_color'

5.4

CVE-2024-2688

Mar 22, 2024

Researchers: Ngô Thiên An (ancorn_), ST

EmbedPress <= 3.8.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Delete via admin_post_remove and remove_private_data

5.4

CVE-2023-4282

Aug 9, 2023

Researcher: István Márton

Title	Status	CVE ID	CVSS	Researchers	Date
EmbedPress <= 4.0.9 - Unauthenticated Local File Inclusion	Patched	CVE-2024-43328	9.8	Rafie Muhammad	August 16, 2024
EmbedPress <= 4.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting	Patched	CVE-2024-43936	6.4	João Pedro Soares de Alcântara	August 26, 2024
EmbedPress <= 3.9.10 - Authenticated(Contributor+) Stored Cross-Site Scripting via PDF Widget URL	Patched	CVE-2024-1565	6.4	RandomRoot	June 12, 2024
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via EmbedPress PDF Widget	Patched	CVE-2024-5571	6.4	wesley (wcraft)	June 4, 2024
PDF.js < 4.2.67 - Arbitrary JavaScript Execution	Patched	CVE-2024-4367	6.4	Colin Xu, James Myers (ConfidenceRemainsHigh), Codean Labs	May 20, 2024
EmbedPress Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter	Patched	CVE-2024-4316	6.4	stealthcopter	May 9, 2024
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	Patched	CVE-2024-3244	6.4	wesley (wcraft)	April 5, 2024
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Youtube Block	Patched	CVE-2024-3245	6.4	João Pedro Soares de Alcântara	April 5, 2024
EmbedPress <= 3.9.12 - Authenticated(Contributor+) Stored Cross-Site Scripting via Widget Attribute	Patched	CVE-2024-2468	6.4	wesley (wcraft)	March 22, 2024
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via EmbedPress PDF Widget	Patched	CVE-2024-2128	6.4	wesley (wcraft)	March 7, 2024
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Wistia Block	Patched	CVE-2024-1802	6.4	Ngô Thiên An (ancorn_), Dau Hoang Tai	March 7, 2024
EmbedPress <= 3.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	Patched	CVE-2024-1349	6.4	Richard Telleng (stueotue)	February 14, 2024
EmbedPress <= 3.9.8 - Authenticated(Contributor+) Stored Cross-Site Scripting via Google Calendar Widget Link	Patched	CVE-2024-1425	6.4	wesley (wcraft)	February 14, 2024
EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor <= 3.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	Patched	CVE-2023-6986	6.4	Ngô Thiên An (ancorn_)	January 2, 2024
EmbedPress <= 3.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	Patched	CVE-2023-4283	6.4	István Márton	August 9, 2023
EmbedPress <= 3.9.1 - Reflected Cross-Site Scripting	Patched	CVE-2023-5750	6.1	Erwan LR	November 17, 2023
EmbedPress <= 3.9.1 - Reflected Cross-Site Scripting	Patched	CVE-2023-5749	6.1	Krzysztof Zając	November 17, 2023
Freemius SDK <= 2.5.9 - Reflected Cross-Site Scripting via fs_request_get	Patched	CVE-2023-33999	6.1	Rafie Muhammad	July 18, 2023
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor <= 3.9.12 - Authenticated (Contributor+) Stored Cross-site Scripting via 'embedpress_doc_custom_color'	Patched	CVE-2024-2688	5.4	Ngô Thiên An (ancorn_), ST	March 22, 2024
EmbedPress <= 3.8.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Delete via admin_post_remove and remove_private_data	Patched	CVE-2023-4282	5.4	István Márton	August 9, 2023

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation