Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network-reachable WordPress endpoint (AV:N/AC:L/PR:N/UI:N) leaking sensitive data justifies C:H; no integrity or availability impact described, so I:N/A:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Sensitive Data Exposure in EmbedPress <= 4.5.2 versions.
AnalysisAI
Unauthenticated sensitive data exposure in the EmbedPress WordPress plugin (versions 4.5.2 and earlier) allows remote attackers to retrieve confidential information from affected sites without any credentials or user interaction. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation against any vulnerable installation, though no public exploit identified at time of analysis. The flaw was disclosed via Patchstack and is classified under CWE-639, suggesting authorization checks are bypassed via predictable or user-controlled object references.
Technical ContextAI
EmbedPress is a WordPress plugin published by wpdeveloper (CPE cpe:2.3:a:wpdeveloper:embedpress) used to embed third-party content such as videos, documents, maps, and social media posts into WordPress posts and pages. The underlying weakness, CWE-639 (Authorization Bypass Through User-Controlled Key), typically arises when an endpoint accepts an identifier supplied by the requester and returns associated data without verifying that the requester is authorized to view it - an IDOR-style flaw. In the EmbedPress context this most likely involves a plugin REST route, AJAX action, or shortcode handler that returns embedded content metadata or configuration without performing capability checks.
RemediationAI
Upgrade EmbedPress to a release newer than 4.5.2 once the wpdeveloper-published fixed version is available; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/embedpress/vulnerability/wordpress-embedpress-plugin-4-5-2-sensitive-data-exposure-vulnerability for the exact patched version, as an upstream fix is referenced but the released patched version is not independently confirmed in the input data. Until upgrade is possible, deactivate the EmbedPress plugin on production sites (which will break any pages relying on its embeds) or front the site with a WAF/virtual-patching rule - Patchstack and Wordfence typically ship signatures for disclosed plugin CVEs - and restrict access to wp-admin and the WordPress REST API (/wp-json/embedpress/* and admin-ajax.php actions referencing embedpress) via IP allowlists where feasible, accepting that REST restrictions may break legitimate front-end embed rendering.
More in Embedpress
View allThe EmbedPress WordPress plugin before 3.9.2 does not sanitise and escape a parameter before outputting it back in the p
The EmbedPress WordPress plugin before 3.9.2 does not sanitise and escape user input before outputting it back in the pa
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPDeveloper EmbedPress a
Missing Authorization vulnerability in WPDeveloper EmbedPress.9.8. Rated critical severity (CVSS 9.8), this vulnerabilit
Missing Authorization vulnerability in WPDeveloper EmbedPress allows Exploiting Incorrectly Configured Access Control Se
The EmbedPress - Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elem
The EmbedPress - Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elem
The EmbedPress - Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gute
The EmbedPress - Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elem
The EmbedPress - Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gute
The EmbedPress - Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gute
The EmbedPress - Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gute
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36850
GHSA-w8hp-6w9c-qp6h