Advanced iFrame < 2025.6 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-6987 | Plugin Vulnerabilities

Description

The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2025.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

advanced-iframe

Fixed in 2025.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6acb99eb-d61c-4d1f-b399-32db07c7e3e7

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

muhammad yudha

Verified

No

WPVDB ID

2dab51f5-bd7f-44dd-bf51-0818cb7d7aa0

Timeline

Publicly Published

2025-07-25 (about 10 months ago)

Added

2025-07-25 (about 10 months ago)

Last Updated

2025-07-26 (about 10 months ago)

Other

Published

Title

Published

2021-05-24

Title

JNews < 8.0.6 - Reflected Cross-Site Scripting (XSS)

Published

2023-08-18

Title

Photo Gallery by Ays < 5.1.4 - Reflected XSS

Published

2025-10-08

Title

Fix Multiple Redirects <= 1.2.3 - Reflected Cross-Site Scripting

Published

2025-01-16

Title

The Great Firewords of China <= 1.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2024-03-28

Title

WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting <= 1.12.9 - Unauthenticated Stored Cross-Site Scripting