CVE-2026-7796
Description
Stored XSS in EmbedPress WordPress plugin allows authenticated attackers to inject scripts via the 'url' attribute, executing them when users view affected pages.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in EmbedPress WordPress plugin allows authenticated attackers to inject scripts via the 'url' attribute, executing them when users view affected pages.
Vulnerability
The EmbedPress plugin for WordPress versions up to and including 4.5.3 suffers from Stored Cross-Site Scripting (XSS) due to insufficient sanitization and output escaping of the url attribute within its blocks. This vulnerability allows authenticated users with contributor-level access or higher to inject arbitrary web scripts.
Exploitation
An attacker with at least contributor-level access can inject malicious scripts into the url attribute of an EmbedPress block. These scripts will execute when any user views the page containing the injected content. No other special conditions are mentioned in the available references.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of other users' browsers. This can lead to session hijacking, defacement, or redirection to malicious sites, depending on the injected script.
Mitigation
The vulnerability is fixed in EmbedPress version 4.5.4, released on 2026-05-25 [4]. Users are advised to update to this version or later to address the vulnerability. No workarounds are specified in the available references.
AI Insight generated on Jun 6, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3<=4.5.3+ 1 more
- (no CPE)range: <=4.5.3
- (no CPE)range: <=4.5.3
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
11- plugins.trac.wordpress.org/browser/embedpress/tags/4.4.11/EmbedPress/Gutenberg/EmbedPressBlockRenderer.phpnvd
- plugins.trac.wordpress.org/browser/embedpress/tags/4.4.11/EmbedPress/Gutenberg/EmbedPressBlockRenderer.phpnvd
- plugins.trac.wordpress.org/browser/embedpress/tags/4.4.11/EmbedPress/Includes/Classes/Helper.phpnvd
- plugins.trac.wordpress.org/browser/embedpress/tags/4.5.1/EmbedPress/Gutenberg/EmbedPressBlockRenderer.phpnvd
- plugins.trac.wordpress.org/browser/embedpress/tags/4.5.1/EmbedPress/Gutenberg/EmbedPressBlockRenderer.phpnvd
- plugins.trac.wordpress.org/browser/embedpress/tags/4.5.1/EmbedPress/Includes/Classes/Helper.phpnvd
- plugins.trac.wordpress.org/browser/embedpress/trunk/EmbedPress/Gutenberg/EmbedPressBlockRenderer.phpnvd
- plugins.trac.wordpress.org/browser/embedpress/trunk/EmbedPress/Gutenberg/EmbedPressBlockRenderer.phpnvd
- plugins.trac.wordpress.org/browser/embedpress/trunk/EmbedPress/Includes/Classes/Helper.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/a0b5b6bc-5f4f-4cf8-987e-b20e8354d863nvd
News mentions
0No linked articles in our index yet.