Responsive iframe <= 1.2.0 – Contributor+ Stored XSS | CVE 2024-12768 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

1. Contributor+ creates a post including the Responsive Iframes block.
2. Set the Iframe URL to `javascript:alert("Stored XSS")`
3. When viewing the post in the editor, click "attempt block recovery" and then the XSS will fire.

Affects Plugins

responsive-iframe

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Sakotas

Submitter

Sakotas

Verified

Yes

WPVDB ID

fe2e47f4-b89e-4c22-8d27-672da0fb99af

Timeline

Publicly Published

2025-01-10 (about 11 months ago)

Added

2025-01-10 (about 11 months ago)

Last Updated

2025-01-10 (about 11 months ago)

Other

Published

Title

Published

2015-03-06

Title

Google Analytics by Yoast <= 5.3.2 - Cross-Site Scripting (XSS)

Published

2022-05-26

Title

Image Slider by NextCode <= 1.1.2 - Author+ Stored Cross-Site Scripting

Published

2014-10-30

Title

Profile Builder < 2.0.3 - Reflected Cross-Site Scripting (XSS)

Published

2025-09-11

Title

Woocommerce Envato Affiliates <= 1.2.1 - Reflected Cross-Site Scripting

Published

2024-08-28

Title

Bus Ticket Booking with Seat Reservation < 5.3.6 - Authenticated (Administrator+) Stored Cross-Site Scripting