Description
The Advanced iFrame plugin for WordPress is vulnerable to unauthorized excessive creation of options on the aip_map_url_callback() function in all versions up to, and including, 2024.5 due to insufficient restrictions. This makes it possible for unauthenticated attackers to update the advancediFrameParameterData option with an excessive amount of unvalidated data.
Published: 2025-03-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration changes
Action: Patch immediately
AI Analysis

Impact

The Advanced iFrame plugin for WordPress is vulnerable to the creation of excessive options within the aip_map_url_callback() function in all releases up to 2024.5. Because the function does not properly restrict input, unauthenticated attackers can inject large amounts of unvalidated data into the advancediFrameParameterData option. This enables attackers to alter plugin settings at will, potentially leading to undesired behavior or further exploitation if the inserted data is used in downstream logic. The weakness stems from lack of input validation as classified by CWE-20.

Affected Systems

WordPress sites that have the Advanced iFrame plugin installed, vendor mdempfle, product Advanced iFrame. All versions up to and including 2024.5 are affected; any installation of these versions is vulnerable regardless of WordPress core version or other plugins.

Risk and Exploitability

The vulnerability scores a CVSS score of 5.3, reflecting moderate severity. The EPSS score is less than 1%, indicating very low overall exploitation probability. It is not listed in the CISA KEV catalog. Attackers would need to access the remote WordPress installation and issue a request to the callback endpoint; because the manipulation is available to unauthenticated users, the likely attack vector is remote web. Given the moderate score and low exploitation likelihood, the risk to a single site is lower than high‑severity flaws, but the impact can be significant if the site relies on the plugin for critical functionality.

Generated by OpenCVE AI on April 21, 2026 at 21:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Review and enforce proper access controls on the aip_map_url_callback endpoint, ensuring only authenticated users can modify plugin options; validate all incoming data before it is stored
  • Update the Advanced iFrame plugin to the latest available version (2024.6 or later) if a patch is released; otherwise replace the plugin with an alternative that has proper input validation
  • Implement a Web Application Firewall rule or rate‑limit the plugin’s settings endpoint to prevent excessive or malformed option updates, and log all attempts to detect ongoing abuse

Generated by OpenCVE AI on April 21, 2026 at 21:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8129 The Advanced iFrame plugin for WordPress is vulnerable to unauthorized excessive creation of options on the aip_map_url_callback() function in all versions up to, and including, 2024.5 due to insufficient restrictions. This makes it possible for unauthenticated attackers to update the advancediFrameParameterData option with an excessive amount of unvalidated data.
History

Mon, 14 Jul 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Tinywebgallery
Tinywebgallery advanced Iframe
CPEs cpe:2.3:a:tinywebgallery:advanced_iframe:*:*:*:*:*:wordpress:*:*
Vendors & Products Tinywebgallery
Tinywebgallery advanced Iframe

Wed, 26 Mar 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Advanced iFrame plugin for WordPress is vulnerable to unauthorized excessive creation of options on the aip_map_url_callback() function in all versions up to, and including, 2024.5 due to insufficient restrictions. This makes it possible for unauthenticated attackers to update the advancediFrameParameterData option with an excessive amount of unvalidated data.
Title Advanced iFrame <= 2024.5 - Unauthenticated Settings Update
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Tinywebgallery Advanced Iframe
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:57.023Z

Reserved: 2025-02-18T15:22:26.598Z

Link: CVE-2025-1440

cve-icon Vulnrichment

Updated: 2025-03-26T17:36:45.592Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-26T10:15:15.260

Modified: 2025-07-14T16:40:37.780

Link: CVE-2025-1440

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:45:25Z

Weaknesses