Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Coderz Studio Custom iFrame for Elementor custom-iframe allows DOM-Based XSS.This issue affects Custom iFrame for Elementor: from n/a through <= 1.0.13.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An input validation flaw in the Custom iFrame for Elementor plugin allows an attacker to inject malicious scripts via DOM‑based XSS. The vulnerability enables the execution of arbitrary code in the context of a victim’s browser, potentially leading to session hijacking, data theft, and site defacement. The flaw stems from improper sanitization of user‑provided content that is rendered within an iframe on the page.

Affected Systems

WordPress sites that have installed the Coderz Studio "Custom iFrame for Elementor" plugin version 1.0.13 or earlier are affected. Any deployment of the plugin through these versions exposes the site to the XSS risk.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog, but attackers can exploit it by inserting crafted content into the plugin’s iframe fields, which may be available to authenticated administrators or, if misconfigured, to public users. The attack vector is inferred to involve unsanitized user input within the plugin’s interface, which is processed without proper escaping before rendering.

Generated by OpenCVE AI on April 30, 2026 at 00:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Custom iFrame for Elementor plugin to version 1.0.14 or later, or uninstall the plugin if it is not required.
  • Restrict the configuration screens of the plugin to trusted administrators only, and disable or delete any options that allow arbitrary HTML or script input if a newer version is not immediately available.
  • Apply a Content Security Policy that blocks inline scripts or restricts script execution to trusted domains, thereby mitigating the impact of any remaining unsanitized content.

Generated by OpenCVE AI on April 30, 2026 at 00:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30508 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Coderz Studio Custom iFrame for Elementor allows DOM-Based XSS. This issue affects Custom iFrame for Elementor: from n/a through 1.0.13.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Coderz Studio Custom iFrame for Elementor allows DOM-Based XSS. This issue affects Custom iFrame for Elementor: from n/a through 1.0.13. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Coderz Studio Custom iFrame for Elementor custom-iframe allows DOM-Based XSS.This issue affects Custom iFrame for Elementor: from n/a through <= 1.0.13.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor
Wordpress
Wordpress wordpress

Tue, 23 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 18:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Coderz Studio Custom iFrame for Elementor allows DOM-Based XSS. This issue affects Custom iFrame for Elementor: from n/a through 1.0.13.
Title WordPress Custom iFrame for Elementor Plugin <= 1.0.13 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Elementor Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:52.258Z

Reserved: 2025-09-17T18:00:39.585Z

Link: CVE-2025-59553

cve-icon Vulnrichment

Updated: 2025-09-23T13:35:25.333Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:23.987

Modified: 2026-04-23T15:34:03.530

Link: CVE-2025-59553

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:30:23Z

Weaknesses