Iframe < 4.5 – Authenticated Stored Cross Site Scripting (XSS) | CVE 2020-12696

Affects Plugins

iframe

Fixed in 4.5

References

CVE

CVE-2020-12696

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

4.8 (medium)

Miscellaneous

Original Researcher

Guilherme Rubert

Submitter

Guilherme Rubert

Submitter website

https://guilhermerubert.com

Verified

No

WPVDB ID

0e9becad-7895-40db-ab65-e53be0fe8609

Timeline

Publicly Published

2020-05-07 (about 5 years ago)

Added

2020-05-13 (about 5 years ago)

Last Updated

2020-05-14 (about 5 years ago)

Other

Published

Title

Published

2023-08-22

Title

Collapse-O-Matic <= 1.8.5.8 - Contributor+ Stored XSS

Published

2025-10-23

Title

Bold Page Builder < 5.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via `percentage` Parameter

Published

2025-01-07

Title

mcjh button shortcode <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-02-18

Title

YaySMTP 2.4.9 - 2.6.3 - Unauthenticated Stored Cross-Site Scripting

Published

2024-05-23

Title

LottieFiles – JSON Based Animation Lottie & Bodymovin for Elementor < 1.10.10 - Authenticated (Contributor+) Stored Cross-Site Scripting