CVE-2024-1803

MEDIUM

EmbedPress < 3.9.12 - Authenticated Unauthorized Access via PDF Embed Block

Title source: llm

Description

The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized access of functionality due to insufficient authorization validation on the PDF embed block in all versions up to, and including, 3.9.12. This makes it possible for authenticated attackers, with contributor-level access and above, to embed PDF blocks.

References (2)

Core 2

Core References

Patch

https://plugins.trac.wordpress.org/changeset/3055856

Patch, Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/175e08ce-aec2-427a-90e0-f955711d58b2?source=cve

Scores

CVSS v3 4.3

EPSS 0.0028

EPSS Percentile 19.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-285 CWE-863

Status published

Products (2)

wpdeveloper/embedpress < 3.9.12

wpdevteam/EmbedPress – PDF Embedder, Embed YouTube Videos, 3D FlipBook, Social feeds, Docs & more < 3.9.12

Published May 23, 2024

Tracked Since Feb 18, 2026