Impact
The vulnerability in WordPress EmbedPress versions 4.5.2 and earlier permits unauthenticated exposure of sensitive data stored or displayed by the plugin. Because the plugin does not enforce authentication for its data endpoints, an attacker can retrieve confidential information such as configuration settings, embedded content details, or other private content managed by the plugin. This flaw is identified as CWE‑639, indicating a missing or improperly applied access control mechanism.
Affected Systems
Websites that have installed WPDeveloper’s EmbedPress plugin version 4.5.2 or any earlier release are affected. The issue is limited to the plugin itself and does not extend to core WordPress functionality. Sites must update to version 4.5.3 or later to remove the unauthenticated data exposure.
Risk and Exploitability
The CVSS score of 7.5 indicates a high severity risk, while the EPSS score of < 1 % suggests that exploitation is currently unlikely in the wild. The vulnerability is not listed in the CISA KEV catalog, implying no publicly documented exploits have been observed. Based on the description, it is inferred that the attack vector is remote via the web interface, with no authentication required, allowing any Internet‑exposed server running an affected plugin version to be potentially impacted.
OpenCVE Enrichment