CVE-2023-6986: 
WordPress vulnerability analysis and mitigation

The EmbedPress WordPress plugin (versions up to 3.9.5) contains a Stored Cross-Site Scripting vulnerability (CVE-2023-6986) discovered in January 2024. The vulnerability exists in the plugin's embed_oembed_html shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. This security issue affects the EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor plugin (NVD, WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 5.4 (Medium) according to NIST, and 6.4 (Medium) according to Wordfence. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L). The vulnerability stems from improper validation and escaping of shortcode attributes in the embed_oembed_html functionality (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to client-side attacks and unauthorized actions in the context of the visiting user's browser session (NVD).

The vulnerability has been patched in version 3.9.6 of the EmbedPress plugin. Site administrators are strongly advised to update to this version or later to protect against this security issue (WPScan).