CVE-2024-11203
📋 TL;DR
This stored XSS vulnerability in the EmbedPress WordPress plugin allows authenticated attackers with Contributor-level access or higher to inject malicious scripts into web pages. When users visit compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites using EmbedPress versions up to 4.1.3 are affected.
💻 Affected Systems
- EmbedPress – Embed PDF, 3D Flipbook, Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Audios, Google Maps in Gutenberg Block & Elementor
📦 What is this software?
Embedpress by Wpdeveloper
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers inject malicious scripts to steal user session cookies, perform actions as authenticated users, or display phishing content.
If Mitigated
With proper user role management and input validation, impact is limited to low-privileged user compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. Public proof-of-concept exists in vulnerability reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.1.4
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3196371/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find EmbedPress and click 'Update Now'. 4. Verify version is 4.1.4 or higher.
🔧 Temporary Workarounds
Temporary Input Sanitization
allAdd custom sanitization for provider_name parameter in WordPress theme functions
Add to theme's functions.php: add_filter('embedpress_provider_name', 'sanitize_text_field');
Restrict User Roles
allTemporarily remove Contributor role access or downgrade to Subscriber
Use WordPress user management or plugins like User Role Editor to modify capabilities
🧯 If You Can't Patch
- Disable the EmbedPress plugin completely until patching is possible
- Implement strict Content Security Policy (CSP) headers to limit script execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for EmbedPress version ≤4.1.3Check Version:
wp plugin list --name=embedpress --field=version (WP-CLI) or check WordPress admin interfaceVerify Fix Applied:
Confirm EmbedPress version is 4.1.4 or higher in WordPress plugins list📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin with provider_name parameter containing script tags
- Multiple failed login attempts followed by successful Contributor-level login
Network Indicators:
- Unexpected outbound connections from WordPress site after page visits
- Suspicious JavaScript in page responses
SIEM Query:
source="wordpress.log" AND ("provider_name" AND ("<script" OR "javascript:" OR "onload=" OR "onerror="))🔗 References
- https://github.com/WPDevelopers/embedpress/blob/a6aa3339d9dc69ab6f9338ded073e5709173c2d4/EmbedPress/Shortcode.php#L240
- https://github.com/WPDevelopers/embedpress/blob/a6aa3339d9dc69ab6f9338ded073e5709173c2d4/vendor/wpdevelopers/embera/src/Embera/ProviderCollection/ProviderCollectionAdapter.php#L173
- https://plugins.trac.wordpress.org/changeset/3196371/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/167dedfa-36cc-4b01-8ea4-8eda8742953c?source=cve
