WordPress Plugin Vulnerabilities

Advanced iFrame < 2024.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘add_iframe_url_as_param_direct’ parameter in versions up to, and including, 2024.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
advanced-iframe
Fixed in 2024.4

References

CVE
CVE-2024-4365
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/21990e54-c3a2-4bca-b164-132ad456e651

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
017639a5-e310-4a5e-9348-45f1c880e012

Timeline

Publicly Published
2024-05-22 (about 2 years ago)
Added
2024-05-23 (about 2 years ago)
Last Updated
2024-05-23 (about 2 years ago)

Other

Published
Title
Published
2025-03-05
Title
Ad Inserter - Ad Manager and AdSense Ads < 2.8.1 - Reflected Cross-Site Scripting
Published
2025-09-03
Title
Tooltipy < 5.5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-11-10
Title
Share to Google Classroom <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via share_to_google Shortcode
Published
2025-12-31
Title
Responsive Block Control < 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-03-01
Title
Delete Old Orders <= 0.2 - Reflected Cross-Site Scripting