WordPress Plugin Vulnerabilities

iframe < 4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'iframe' Shortcode

Description

The iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `iframe` shortcode in versions up to, and including, 4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permission and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This was partially patched in version 4.6 and fully patched in version 4.7.

Affects Plugins

Plugin icon
iframe
Fixed in 4.7

References

CVE
CVE-2023-4919
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3706deed-55f2-4dfb-bfed-7a14872cd15a

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
István Márton, Alex Thomas
Verified
No
WPVDB ID
9b90a8b3-8328-40a6-860b-54106fe10481

Timeline

Publicly Published
2023-09-25 (about 2 years ago)
Added
2023-11-24 (about 2 years ago)
Last Updated
2023-12-24 (about 2 years ago)

Other

Published
Title
Published
2023-02-13
Title
Announce from the Dashboard < 1.5.2 - Admin+ Stored XSS
Published
2025-12-11
Title
Category Dropdown List <= 1.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
Published
2024-06-18
Title
Ultimate Blocks – WordPress Blocks Plugin < 3.1.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via metabox
Published
2025-03-05
Title
WP SVG Upload <= 1.0.0 - Author+ Stored XSS via SVG
Published
2024-10-14
Title
bVerse Convert <= 1.3.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting