CVE-2026-7796 - Vulnerability Details

- EmbedPress <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block 'url' Attribute

Description

The EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the block 'url' attribute in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page

Published: 2026-06-06

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The plugin fails to sanitize and escape the 'url' attribute in Gutenberg blocks, allowing authenticated users with contributor-level privileges to embed malicious scripts. This stored cross‑site scripting flaw means when any other user visits a page containing the injected content, the script runs in their browser. The impact is the ability to steal session cookies, deface content, or perform further client‑side attacks, compromising confidentiality, integrity, and availability of the web application. The weakness is classified as CWE‑79.

Affected Systems

WordPress installations running the EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more plugin up to and including version 4.5.3 are affected. The plugin is authored by wpdevteam and is often used to embed media via Gutenberg. Only users with contributor or higher permissions can inject the exploit, so the issue is limited to sites with such role distribution.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploits yet. However, because the attack requires legitimate contributor access, the risk remains high in environments where such users are abundant or have wide editing rights. The vector is likely an authenticated content‑editing session in the WordPress back‑end, possibly through the block editor UI.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wpdevteam

EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.5.3

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the EmbedPress plugin to the latest version that removes the unsanitized attribute handling (4.5.4 or later).
If an update cannot be applied immediately, reduce contributor permissions or temporarily disable block editing of media URLs to prevent new content edits.
Ensure that all user content goes through WordPress sanitization functions or deploy a plugin that sanitizes the 'url' attribute in Gutenberg blocks before rendering.

Generated by OpenCVE AI on June 6, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00056.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/embedpress/tags/4.4.11/EmbedPress/Gutenberg/EmbedPressBlockRenderer.php#L1181
https://plugins.trac.wordpress.org/browser/embedpress/tags/4.4.11/EmbedPress/Gutenberg/EmbedPressBlockRenderer.php#L133
https://plugins.trac.wordpress.org/browser/embedpress/tags/4.4.11/EmbedPress/Includes/Classes/Helper.php#L1659
https://plugins.trac.wordpress.org/browser/embedpress/tags/4.5.1/EmbedPress/Gutenberg/EmbedPressBlockRenderer.php#L1181
https://plugins.trac.wordpress.org/browser/embedpress/tags/4.5.1/EmbedPress/Gutenberg/EmbedPressBlockRenderer.php#L133
https://plugins.trac.wordpress.org/browser/embedpress/tags/4.5.1/EmbedPress/Includes/Classes/Helper.php#L1659
https://plugins.trac.wordpress.org/browser/embedpress/trunk/EmbedPress/Gutenberg/EmbedPressBlockRenderer.php#L1181
https://plugins.trac.wordpress.org/browser/embedpress/trunk/EmbedPress/Gutenberg/EmbedPressBlockRenderer.php#L133
https://plugins.trac.wordpress.org/browser/embedpress/trunk/EmbedPress/Includes/Classes/Helper.php#L1659
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3546981%40embedpress&new=3546981%40embedpress&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/a0b5b6bc-5f4f-4cf8-987e-b20e8354d863?source=cve

History

Sat, 06 Jun 2026 12:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 06 Jun 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		The EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the block 'url' attribute in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page
Title		EmbedPress <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block 'url' Attribute
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/embedpress/tags/4.4.11/EmbedPress/Gutenberg/EmbedPressBlockRenderer.php#L1181 https://plugins.trac.wordpress.org/browser/embedpress/tags/4.4.11/EmbedPress/Gutenberg/EmbedPressBlockRenderer.php#L133 https://plugins.trac.wordpress.org/browser/embedpress/tags/4.4.11/EmbedPress/Includes/Classes/Helper.php#L1659 https://plugins.trac.wordpress.org/browser/embedpress/tags/4.5.1/EmbedPress/Gutenberg/EmbedPressBlockRenderer.php#L1181 https://plugins.trac.wordpress.org/browser/embedpress/tags/4.5.1/EmbedPress/Gutenberg/EmbedPressBlockRenderer.php#L133 https://plugins.trac.wordpress.org/browser/embedpress/tags/4.5.1/EmbedPress/Includes/Classes/Helper.php#L1659 https://plugins.trac.wordpress.org/browser/embedpress/trunk/EmbedPress/Gutenberg/EmbedPressBlockRenderer.php#L1181 https://plugins.trac.wordpress.org/browser/embedpress/trunk/EmbedPress/Gutenberg/EmbedPressBlockRenderer.php#L133 https://plugins.trac.wordpress.org/browser/embedpress/trunk/EmbedPress/Includes/Classes/Helper.php#L1659 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3546981%40embedpress&new=3546981%40embedpress&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/a0b5b6bc-5f4f-4cf8-987e-b20e8354d863?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-06T02:28:36.449Z

Updated: 2026-06-06T11:47:40.895Z

Reserved: 2026-05-04T19:08:09.496Z

Link: CVE-2026-7796

Vulnrichment

Updated: 2026-06-06T11:47:35.741Z

NVD

Status : Received

Published: 2026-06-06T04:17:41.187

Modified: 2026-06-06T04:17:41.187

Link: CVE-2026-7796

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-06T04:30:12Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object