CVE-2024-3244 Information

Apr 10, 2024 cve

Description

The EmbedPress – Embed PDF Google Docs Vimeo Wistia Embed YouTube Videos Audios Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ’embedpress_calendar’ shortcode in all versions up to and including 3.9.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Reference

https://www.wordfence.com/threat-intel/vulnerabilities/id/778d8443-fc0f-4e97-8460-e5ceee8b62a1?source=cve https://plugins.trac.wordpress.org/browser/embedpress/tags/3.9.13/EmbedPress/ThirdParty/Googlecalendar/Embedpress_Google_Helper.php#L657 https://plugins.trac.wordpress.org/changeset/3064544/embedpress/tags/3.9.15/EmbedPress/ThirdParty/Googlecalendar/Embedpress_Google_Helper.php

Share on: