Description
The Inline frame – Iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'embedsite' shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-11-25
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting allowing attacker‑controlled scripts to run in the browsers of users who view infected content
Action: Patch Plugin
AI Analysis

Impact

The Inline frame – Iframe plugin for WordPress is vulnerable to a stored cross‑site scripting flaw in the embedsite shortcode. Insufficient input sanitization and output escaping allow an authenticated attacker with contributor or higher privileges to insert arbitrary JavaScript that is persisted and executed whenever a user visits a page containing the shortcode.

Affected Systems

WordPress sites that have the Inline frame – Iframe plugin installed with a version of 0.1 or earlier are affected. All releases up to and including version 0.1 contain the vulnerable shortcode.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, while the EPSS score of less than 1 % suggests a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker must have contributor‑level or higher access to the WordPress dashboard; the flaw is only exploitable when the embedsite shortcode is used on a page.

Generated by OpenCVE AI on April 22, 2026 at 00:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Inline frame – Iframe plugin to a version newer than 0.1, or remove the plugin if no update is available.
  • Disable or delete any use of the embedsite shortcode on posts and pages to eliminate the XSS vector.
  • Limit contributor‑level access or restrict roles that can edit content to trusted users only.

Generated by OpenCVE AI on April 22, 2026 at 00:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 26 Nov 2025 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 25 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 25 Nov 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Inline frame – Iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'embedsite' shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Inline frame – Iframe <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:32.050Z

Reserved: 2025-11-03T19:46:06.811Z

Link: CVE-2025-12645

cve-icon Vulnrichment

Updated: 2025-11-25T15:00:54.377Z

cve-icon NVD

Status : Deferred

Published: 2025-11-25T08:15:49.283

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12645

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:30:04Z

Weaknesses