WordPress Plugin Vulnerabilities

iframe forms <= 1.0 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not properly sanitize and escape the 'iframe' shortcode. This leads to the possibility of stored Cross-Site Scripting where arbitrary web scripts can be injected into pages.

Affects Plugins

Plugin icon
iframe-forms
No known fix

References

CVE
CVE-2023-5073
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/818de7f7-913a-4ade-927e-bba281b4709a

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Lana Codes, Alex Thomas
Verified
No
WPVDB ID
fc780bf4-0b49-48a9-bd4a-ea3f29de4ab1

Timeline

Publicly Published
2023-10-30 (about 2 years ago)
Added
2023-11-03 (about 2 years ago)
Last Updated
2023-11-03 (about 2 years ago)

Other

Published
Title
Published
2024-11-12
Title
Kognetiks Chatbot for WordPress < 2.1.8 - Reflected Cross-Site Scripting
Published
2023-01-30
Title
GS Portfolio for Envato < 1.4.0 - Contributor+ Stored XSS
Published
2024-11-05
Title
WS Form LITE – Drag & Drop Contact Form Builder for WordPress < 1.9.245 - Reflected Cross-Site Scripting via URL
Published
2025-09-05
Title
Smart Table Builder < 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Published
2024-09-27
Title
WP-WebAuthn < 1.3.4 - Contributor+ Stored XSS via wwa_login_form Shortcode