Skip to main content

EmbedPress CVE-2026-48872

| EUVDEUVD-2026-36850 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-15 Patchstack GHSA-w8hp-6w9c-qp6h
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable WordPress endpoint (AV:N/AC:L/PR:N/UI:N) leaking sensitive data justifies C:H; no integrity or availability impact described, so I:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:48 vuln.today

DescriptionCVE.org

Unauthenticated Sensitive Data Exposure in EmbedPress <= 4.5.2 versions.

AnalysisAI

Unauthenticated sensitive data exposure in the EmbedPress WordPress plugin (versions 4.5.2 and earlier) allows remote attackers to retrieve confidential information from affected sites without any credentials or user interaction. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation against any vulnerable installation, though no public exploit identified at time of analysis. The flaw was disclosed via Patchstack and is classified under CWE-639, suggesting authorization checks are bypassed via predictable or user-controlled object references.

Technical ContextAI

EmbedPress is a WordPress plugin published by wpdeveloper (CPE cpe:2.3:a:wpdeveloper:embedpress) used to embed third-party content such as videos, documents, maps, and social media posts into WordPress posts and pages. The underlying weakness, CWE-639 (Authorization Bypass Through User-Controlled Key), typically arises when an endpoint accepts an identifier supplied by the requester and returns associated data without verifying that the requester is authorized to view it - an IDOR-style flaw. In the EmbedPress context this most likely involves a plugin REST route, AJAX action, or shortcode handler that returns embedded content metadata or configuration without performing capability checks.

RemediationAI

Upgrade EmbedPress to a release newer than 4.5.2 once the wpdeveloper-published fixed version is available; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/embedpress/vulnerability/wordpress-embedpress-plugin-4-5-2-sensitive-data-exposure-vulnerability for the exact patched version, as an upstream fix is referenced but the released patched version is not independently confirmed in the input data. Until upgrade is possible, deactivate the EmbedPress plugin on production sites (which will break any pages relying on its embeds) or front the site with a WAF/virtual-patching rule - Patchstack and Wordfence typically ship signatures for disclosed plugin CVEs - and restrict access to wp-admin and the WordPress REST API (/wp-json/embedpress/* and admin-ajax.php actions referencing embedpress) via IP allowlists where feasible, accepting that REST restrictions may break legitimate front-end embed rendering.

CVE-2023-5750 MEDIUM POC
6.1 Dec 11

The EmbedPress WordPress plugin before 3.9.2 does not sanitise and escape a parameter before outputting it back in the p

CVE-2023-5749 MEDIUM POC
6.1 Dec 11

The EmbedPress WordPress plugin before 3.9.2 does not sanitise and escape user input before outputting it back in the pa

CVE-2024-43328 CRITICAL
9.8 Aug 19

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPDeveloper EmbedPress a

CVE-2024-31284 CRITICAL
9.8 Jun 09

Missing Authorization vulnerability in WPDeveloper EmbedPress.9.8. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2024-38707 HIGH
8.8 Nov 01

Missing Authorization vulnerability in WPDeveloper EmbedPress allows Exploiting Incorrectly Configured Access Control Se

CVE-2024-1425 MEDIUM
6.4 Feb 29

The EmbedPress - Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elem

CVE-2024-1349 MEDIUM
6.4 Feb 29

The EmbedPress - Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elem

CVE-2024-3244 MEDIUM
6.4 Apr 09

The EmbedPress - Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gute

CVE-2024-1565 MEDIUM
6.4 Jun 13

The EmbedPress - Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elem

CVE-2024-5571 MEDIUM
6.4 Jun 05

The EmbedPress - Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gute

CVE-2024-4316 MEDIUM
6.4 May 14

The EmbedPress - Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gute

CVE-2024-3245 MEDIUM
6.4 Apr 06

The EmbedPress - Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gute

Share

CVE-2026-48872 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy