Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikas Sharma iFrame Block allows Stored XSS. This issue affects iFrame Block: from n/a through 0.1.1.
Published: 2025-08-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This stored XSS flaw allows an attacker to inject malicious JavaScript into the content managed by the iFrame Block plugin. When that content is displayed in a browser, the script runs in the context of the site, potentially leaking session data, defacing the site, or redirecting users. The weakness is a type of input validation failure (CWE‑79) that can affect the confidentiality, integrity, and availability of the site.

Affected Systems

The vulnerability impacts the iFrame Block plugin by Vikas Sharma for WordPress, any version from the first release through version 0.1.1. Users running the plugin on any WordPress installation are affected if the plugin has not been updated beyond 0.1.1.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact, while the EPSS score of less than 1 % suggests the likelihood of exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to supply malicious content to the plugin through an input field, so the attack vector is likely local or requires an authenticated editor or administrator. No additional exploitation conditions are indicated in the published data.

Generated by OpenCVE AI on April 30, 2026 at 08:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the iFrame Block plugin to the latest available version above 0.1.1.
  • If an upgrade is not possible, disable or delete the plugin to eliminate the attack surface.
  • Ensure that any stored content is sanitized or use a plugin that validates input to guard against future XSS vulnerabilities.

Generated by OpenCVE AI on April 30, 2026 at 08:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25291 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikas Sharma iFrame Block allows Stored XSS. This issue affects iFrame Block: from n/a through 0.1.1.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikas Sharma FAQ Revolution - WordPress Plugin faq-revo allows Reflected XSS.This issue affects FAQ Revolution - WordPress Plugin: from n/a through <= 1.5.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikas Sharma iFrame Block allows Stored XSS. This issue affects iFrame Block: from n/a through 0.1.1.
Title WordPress FAQ Revolution - WordPress Plugin <= 1.5.0 - Cross Site Scripting (XSS) Vulnerability WordPress iFrame Block plugin <= 0.1.1 - Cross Site Scripting (XSS) vulnerability
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikas Sharma iFrame Block allows Stored XSS. This issue affects iFrame Block: from n/a through 0.1.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikas Sharma FAQ Revolution - WordPress Plugin faq-revo allows Reflected XSS.This issue affects FAQ Revolution - WordPress Plugin: from n/a through <= 1.5.0.
Title WordPress iFrame Block plugin <= 0.1.1 - Cross Site Scripting (XSS) vulnerability WordPress FAQ Revolution - WordPress Plugin <= 1.5.0 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikas Sharma iFrame Block allows Stored XSS. This issue affects iFrame Block: from n/a through 0.1.1.
Title WordPress iFrame Block plugin <= 0.1.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:03.875Z

Reserved: 2025-06-04T15:44:12.381Z

Link: CVE-2025-49411

cve-icon Vulnrichment

Updated: 2025-08-20T13:45:13.840Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:36.353

Modified: 2026-04-28T19:33:05.827

Link: CVE-2025-49411

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:30:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')