MEDIUM 6.4

CVE-2026-7796: EmbedPress WordPress Plugin Stored XSS Vulnerability (CVSS 6.4)

The EmbedPress WordPress plugin, used for embedding PDFs, videos, and other rich media content, contains a stored cross-site scripting (XSS) vulnerability that allows attackers with contributor-level access to inject malicious scripts into pages. When other users visit those pages, the injected scripts execute in their browsers, potentially allowing attackers to steal credentials, perform unauthorized actions, or compromise user sessions. This affects all versions up to and including 4.5.3.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-06 / 2026-06-17

NVD description (verbatim)

The EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the block 'url' attribute in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page

11 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-7796 is a stored XSS vulnerability in the EmbedPress plugin for WordPress, tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability exists in the block 'url' attribute handling, where insufficient input sanitization and output escaping allows authenticated users with contributor role or higher to persist malicious JavaScript code. The injected payload is stored server-side and executed in the context of any user's browser that accesses the affected page, establishing a persistent attack vector. The CVSS 3.1 base score of 6.4 (MEDIUM severity, vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects that exploitation requires network access and low-level authentication privileges, but impacts confidentiality and integrity across site boundaries.

Business impact

Organizations running EmbedPress should assess whether contributor-level users are trusted, as this vulnerability enables those users to compromise page integrity and user trust. Stored XSS on public-facing pages can lead to credential harvesting, session hijacking, or malware distribution to site visitors. For multi-user WordPress installations—particularly those accepting guest authors or managing community content—this represents a meaningful insider risk. Remediation delays expose the organization to persistent payload execution and potential secondary compromises of visitor accounts.

Affected systems

The EmbedPress – PDF Embedder plugin for WordPress is affected in all versions up to and including 4.5.3. The vulnerability requires authenticated access at contributor level or above; it does not affect unauthenticated visitors. WordPress installations with the plugin active and users granted contributor, author, or editor roles are in scope. Unaffected versions and patched releases should be confirmed against the official plugin repository or vendor advisory.

Exploitability

Exploitation requires a valid WordPress user account with contributor-level permissions or higher. No public exploit code is known to be active; the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. However, the barrier to weaponization is low: an attacker with such credentials can inject scripts through the block 'url' attribute using standard WordPress editor interfaces. The attack is stored and executed passively when victims access the page, removing the need for social engineering or victim interaction. Organizations with strict access controls limiting contributor roles face lower risk.

Remediation

Immediately update the EmbedPress plugin to a patched version that addresses the input sanitization and output escaping deficiencies. Verify the patched version against the official WordPress plugin repository or the vendor security advisory. Pending patch deployment, restrict contributor-level access to trusted users only, or temporarily deactivate the plugin if it is not critical to operations. After patching, audit existing pages and posts for injected scripts or unusual content in the block 'url' attributes, and review contributor activity logs for suspicious changes.

Patch guidance

Check the official EmbedPress plugin page on WordPress.org for available updates. Apply the patch that addresses the sanitization and escaping issues in the block 'url' attribute. Verify the update version exceeds 4.5.3. Test the update in a staging environment before production deployment to ensure compatibility with your site's theme and other plugins. Enable automatic updates for the plugin if your update policy permits, and configure WordPress security scanners to monitor for this CVE.

Detection guidance

Monitor WordPress activity logs and audit trails for modifications to pages or posts containing EmbedPress blocks, especially by lower-privileged users. Search the site's database and post content for suspicious JavaScript or iframe injection patterns in block 'url' attributes. Use WordPress security plugins with XSS detection capabilities to scan for stored payloads. Review user permissions and audit contributor account creation and usage. Inspect HTTP responses for unexpected script tags or event handlers in embedded content. Network-level detection is limited because payloads are stored server-side; focus on content inspection and access logs.

Why prioritize this

This vulnerability merits prompt attention because it enables authenticated attackers to compromise site content and visitor trust through persistent injection. The MEDIUM severity rating and lack of active exploitation do not justify deferral; the simplicity of exploitation for privileged users, combined with the scope crossing (affecting other users' browsing contexts), makes it a practical risk to multi-user WordPress sites. Organizations with guest authors or high-volume contributor accounts should prioritize patching within 1–2 weeks. Those with tightly controlled contributor access may extend the timeline slightly, but should not delay beyond 3–4 weeks.

Risk score, explained

The CVSS 3.1 score of 6.4 reflects the following: Network accessibility (AV:N) and low attack complexity (AC:L) make the vulnerability easy to exploit once authenticated. However, the requirement for authenticated access with contributor privilege (PR:L) and no user interaction (UI:N) constrains the initial attack surface. Scope Changing (S:C) increases the score because the injected script affects other users' security contexts. Confidentiality and Integrity impacts (C:L, I:L) are limited in magnitude but meaningful, as they enable credential theft or unauthorized page modification rather than system-wide compromise. No availability impact (A:N) is expected. The result is a MEDIUM-severity vulnerability that requires proactive patching but is not typically grounds for emergency response.

Frequently asked questions

Who is at risk from this vulnerability?

WordPress sites running EmbedPress up to version 4.5.3 are at risk if they have users with contributor-level access or higher. This includes multi-author blogs, community sites with guest authors, and any installation where non-administrator users can create or edit pages. Single-administrator sites face lower risk unless the admin account is compromised.

Can unauthenticated users exploit this vulnerability?

No. The vulnerability requires a valid WordPress account with at least contributor-level permissions. Unauthenticated visitors cannot directly inject scripts, but they are affected if a contributor has already injected a malicious payload—they will execute the script when viewing the compromised page.

What should I do right now if I use EmbedPress?

First, verify your installed version by checking the Plugins page in WordPress admin. If you are running version 4.5.3 or earlier, update the plugin immediately to the latest patched version available on WordPress.org. After updating, audit recent page and post edits by contributors for suspicious content in EmbedPress blocks. Review and restrict contributor access if necessary.

Is this vulnerability actively being exploited in the wild?

The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog, and no public exploits or active attacks have been widely reported. However, the simplicity of exploitation means that opportunistic attacks by malicious insiders or competitors with contributor access are plausible. Do not delay patching based on lack of public awareness.

This analysis is based on CVE-2026-7796 data published on 2026-06-06 and modified on 2026-06-17. All version numbers, CVSS scores, and vulnerability details are drawn from authoritative source data. Readers should verify patch availability and compatibility with their specific WordPress environment against the official plugin repository and vendor security advisories. SEC.co does not provide legal liability for organizations that fail to remediate. Exploitation likelihood and business impact vary by organizational context; tailor your remediation timeline to your risk tolerance and user trust model. This explainer is for informational purposes and does not replace a comprehensive vulnerability management program or professional security consultation. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).