WordPress Plugin Vulnerabilities

iFrame < 4.9 - Contributor+ Stored XSS

Description

The plugin does not sanitise and escape the srcdoc parameter, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks, however given that the malicious JS is limited to the scope of the iframe, there is no practical way to make users (such as admin) perform unwanted actions

Affects Plugins

Plugin icon
iframe
Fixed in 4.9

References

CVE
CVE-2023-52125
URL
https://patchstack.com/database/vulnerability/iframe/wordpress-iframe-plugin-4-8-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
LVT-tholv2k
Verified
No
WPVDB ID
81b08f72-b76c-43b5-bfde-10a6aeb27a03

Timeline

Publicly Published
2023-12-28 (about 2 years ago)
Added
2024-01-04 (about 2 years ago)
Last Updated
2024-01-04 (about 2 years ago)

Other

Published
Title
Published
2025-06-25
Title
Event RSVP and Simple Event Management Plugin < 4.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-23
Title
Paid Membership Plugin < 4.15.20 - Admin+ Stored XSS
Published
2025-06-12
Title
Arconix Shortcodes < 2.1.18 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-09-24
Title
WP GPX Maps <= 1.7.08 - Authenticated (Contributor+) Stored Cross-Site Scripting via sgpx Shortcode
Published
2026-03-06
Title
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging < 5.0.12 - Unauthenticated DOM-Based Reflected Cross-Site Scripting via postMessage