WordPress Plugin Vulnerabilities

Advanced iFrame < 2025.0 - Unauthenticated Settings Update

Description

The plugin is vulnerable to unauthorized excessive creation of options on the aip_map_url_callback() function due to insufficient restrictions. This makes it possible for unauthenticated attackers to update the advancediFrameParameterData option with an excessive amount of unvalidated data.

Affects Plugins

Plugin icon
advanced-iframe
Fixed in 2025.0

References

CVE
CVE-2025-1440
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b92913fa-aa1e-40a0-9a48-d730b2102217

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Peter Thaleikis
Verified
No
WPVDB ID
29e7f94f-12e4-493e-99c1-929c61244c24

Timeline

Publicly Published
2025-03-25 (about 1 year ago)
Added
2025-03-26 (about 1 year ago)
Last Updated
2025-03-26 (about 1 year ago)

Other

Published
Title
Published
2025-05-16
Title
CSS3 Compare Pricing Tables for WordPress < 11.7 - Missing Authorization
Published
2025-12-05
Title
Helloprint <= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Modification
Published
2026-02-15
Title
Sessions Time Monitoring Full Automatic < 1.1.4 - Missing Authorization
Published
2026-03-31
Title
Simple Membership < 4.7.2 - Missing Authorization
Published
2025-06-12
Title
WP Travel Engine < 6.5.2 - Missing Authorization to Unauthenticated Arbitrary Post Deletion