EmbedPress – Embed PDF, 3D Flipbook, Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Audios, Google Maps in Gutenberg Block & Elementor <= 4.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'provider_name'
Description
The EmbedPress – Embed PDF, 3D Flipbook, Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Audios, Google Maps in Gutenberg Block & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘provider_name parameter in all versions up to, and including, 4.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in EmbedPress plugin via 'provider_name' parameter allows authenticated attackers with Contributor+ access to inject scripts that execute on page view.
Vulnerability
The EmbedPress plugin for WordPress (versions up to and including 4.1.3) contains a Stored Cross-Site Scripting vulnerability in the provider_name parameter. Insufficient input sanitization and output escaping allow authenticated users with at least Contributor-level access to inject arbitrary web scripts.
Exploitation
An attacker with a Contributor-level account or higher can inject malicious JavaScript into the provider_name parameter. When a user (including administrators) views the page containing the embedded block, the injected script executes in the context of the victim's browser.
Impact
Successful exploitation leads to arbitrary script execution, potentially allowing the attacker to perform actions such as cookie theft, session hijacking, or defacement on the affected WordPress site. The attacker does not require elevated privileges beyond Contributor.
Mitigation
The vulnerability is fixed in version 4.5.3 or later of EmbedPress [1]. Users should update the plugin immediately. If updating is not possible, restrict Contributor-level user accounts and review any embedded content for malicious input.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <=4.1.3
- wpdevteam/EmbedPress – PDF Embedder, Embed YouTube Videos, 3D FlipBook, Social feeds, Docs & morev5Range: 0
Patches
2cbc291285750r3196371Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/WPDevelopers/embedpress/blob/a6aa3339d9dc69ab6f9338ded073e5709173c2d4/EmbedPress/Shortcode.phpmitre
- github.com/WPDevelopers/embedpress/blob/a6aa3339d9dc69ab6f9338ded073e5709173c2d4/vendor/wpdevelopers/embera/src/Embera/ProviderCollection/ProviderCollectionAdapter.phpmitre
- plugins.trac.wordpress.org/changeset/3196371/mitre
- www.wordfence.com/threat-intel/vulnerabilities/id/167dedfa-36cc-4b01-8ea4-8eda8742953cmitre
News mentions
0No linked articles in our index yet.