CVE-2026-7796 in EmbedPress Plugin
Summary
by MITRE • 06/06/2026
The EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the block 'url' attribute in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/06/2026
The EmbedPress WordPress plugin suffers from a critical stored cross-site scripting vulnerability that affects all versions up to and including 4.5.3. This vulnerability resides within the block 'url' attribute processing mechanism, where the plugin fails to adequately sanitize user input before storing it in the database. The flaw represents a classic stored XSS weakness that allows attackers to inject malicious scripts into the plugin's output rendering system. The vulnerability specifically targets authenticated users with contributor-level permissions or higher, making it particularly dangerous in environments where multiple users have access to the WordPress administration interface. The security risk escalates because the malicious scripts persist in the database and execute every time a user accesses a page containing the compromised content, creating a persistent threat vector that can affect any user who views the affected pages.
The technical exploitation of this vulnerability occurs through the manipulation of the block 'url' attribute parameter within the plugin's shortcode processing functionality. When an authenticated attacker with contributor privileges creates or modifies content using the EmbedPress plugin, they can inject malicious JavaScript code into the URL field. The plugin's insufficient input sanitization means that special characters and script tags are not properly escaped or filtered before being stored in the WordPress database. This stored data is then retrieved and rendered in subsequent page views without proper output escaping, allowing the injected scripts to execute in the context of other users' browsers. The vulnerability's impact is amplified by the fact that it affects the plugin's core functionality for embedding various media types including PDF documents, YouTube videos, and 3D flipbooks, making it a versatile attack vector across multiple content types. This weakness aligns with CWE-79, which specifically addresses cross-site scripting vulnerabilities in web applications.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform a wide range of malicious activities including session hijacking, credential theft, and data exfiltration. An attacker could craft malicious URLs that redirect users to phishing pages, steal cookies from authenticated sessions, or inject additional malicious content that persists across multiple user interactions. The vulnerability affects any WordPress installation using the EmbedPress plugin in versions up to 4.5.3, potentially compromising thousands of websites that rely on this functionality for embedding external content. The persistent nature of stored XSS means that the attack remains active until the malicious content is manually removed from the database or the plugin is updated, creating a long-term security risk for affected sites. Additionally, the vulnerability can be leveraged to escalate privileges within the WordPress environment, as the injected scripts can interact with the browser's DOM and potentially access administrative functions if the victim has elevated permissions.
Organizations should immediately update to the latest version of the EmbedPress plugin where this vulnerability has been patched, as no working exploit is publicly available for versions beyond 4.5.3. System administrators should conduct thorough audits of their WordPress installations to identify any instances of the vulnerable plugin and ensure that all users with contributor-level access or higher are properly monitored for suspicious activity. The mitigation strategy should include implementing proper input validation and output escaping mechanisms, as recommended by the OWASP Top Ten project and the ATT&CK framework's defense-in-depth principles. Regular security scanning of WordPress installations should include checks for vulnerable plugins and their versions, with automated alerts configured for any detected instances of the EmbedPress plugin in affected versions. Additionally, implementing content security policies and restricting user permissions to the minimum required level can significantly reduce the impact of such vulnerabilities, as the attack requires authenticated access with contributor privileges or higher to be effective.