CVE-2023-6986 in EmbedPress Plugininfo

Summary

by MITRE • 01/03/2024

The EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's embed_oembed_html shortcode in all versions up to 3.9.5 (exclusive) due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/11/2026

The vulnerability identified as CVE-2023-6986 affects the EmbedPress WordPress plugin, specifically targeting versions prior to 3.9.5. This plugin facilitates embedding various media types including PDFs, videos, audio files, and documents within WordPress sites using popular page builders like Gutenberg and Elementor. The security flaw manifests in the plugin's embed_oembed_html shortcode implementation where inadequate input validation and output escaping mechanisms fail to properly sanitize user-supplied attributes. This represents a classic stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts that persist in the application's database and execute whenever affected pages are accessed by other users.

The technical exploitation of this vulnerability occurs through the manipulation of shortcode attributes that are processed by the plugin's backend functionality. When administrators or users with contributor-level permissions or higher create or modify content containing the vulnerable shortcode, the plugin fails to adequately sanitize the input parameters before storing them in the database. This insufficient sanitization creates a persistent XSS vector where malicious scripts can be stored and executed in the context of any user's browser who views pages containing the compromised content. The vulnerability specifically targets the output escaping mechanisms that should prevent malicious code from being rendered as executable JavaScript within web browsers, leaving the application susceptible to script injection attacks.

The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with the ability to perform various malicious activities through the compromised WordPress installation. Attackers can leverage this vulnerability to steal session cookies, redirect users to malicious websites, deface content, or even escalate privileges within the WordPress environment. The fact that this vulnerability requires only contributor-level permissions or higher makes it particularly concerning as it can be exploited by users who have legitimate access to content creation features but lack administrative privileges. This creates a significant risk for sites where multiple users have editing capabilities, as any compromised contributor account could be used to inject malicious scripts that affect all site visitors.

From a security standards perspective, this vulnerability maps directly to CWE-79: Cross-Site Scripting and ATT&CK technique T1566.001: Phishing with Social Engineering. The insufficient input sanitization and output escaping mechanisms violate fundamental security principles for preventing XSS attacks. Organizations should immediately implement patch management procedures to upgrade to version 3.9.5 or later of the EmbedPress plugin, as this release contains the necessary fixes to address the input validation and output escaping deficiencies. Additionally, administrators should review user permissions to ensure that only trusted individuals have contributor-level access or higher, and consider implementing additional security measures such as content security policies to mitigate the impact of potential exploitation attempts. The vulnerability highlights the importance of proper input validation and output escaping in web applications and serves as a reminder of the critical need for regular security updates and thorough testing of third-party plugins before deployment in production environments.

Responsible

Wordfence

Reservation

12/20/2023

Disclosure

01/03/2024

Moderation

accepted

CPE

ready

EPSS

0.00427

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!