Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mdempfle Advanced iFrame advanced-iframe allows DOM-Based XSS.This issue affects Advanced iFrame: from n/a through <= 2025.10.
Published: 2026-02-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site scripting (DOM-based XSS)
Action: Patch
AI Analysis

Impact

An unsafe handling of user input in the Advanced iFrame plugin leads to a DOM-based cross‑site scripting flaw. The flaw permits injection of arbitrary JavaScript into a victim’s browser context, potentially enabling credential theft, session hijacking or malicious content injection. The weakness is classified as a classic input validation issue, CWE‑79.

Affected Systems

All releases of mdempfle's Advanced iFrame plugin from the initial release through version 2025.10 contain the vulnerability and should be considered vulnerable.

Risk and Exploitability

The CVSS base score is 6.5, indicating moderate severity, and the EPSS score is below 1 %, signifying a low current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog, and no verified public exploit is disclosed. The attack vector would typically involve a maliciously crafted URL or user-supplied iframe parameters that a user inadvertently visits or interacts with.

Generated by OpenCVE AI on April 16, 2026 at 06:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Advanced iFrame plugin to the latest release that removes the vulnerability.
  • If an upgrade is not yet available, disable or uninstall the plugin to prevent exposure.
  • As a temporary protective measure, apply a Content Security Policy that restricts script execution from untrusted sources or sanitize any iframe parameters before rendering.

Generated by OpenCVE AI on April 16, 2026 at 06:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Mdempfle
Mdempfle advanced Iframe
Wordpress
Wordpress wordpress
Vendors & Products Mdempfle
Mdempfle advanced Iframe
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mdempfle Advanced iFrame advanced-iframe allows DOM-Based XSS.This issue affects Advanced iFrame: from n/a through <= 2025.10.
Title WordPress Advanced iFrame plugin <= 2025.10 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Mdempfle Advanced Iframe
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:58.767Z

Reserved: 2026-02-02T12:53:47.194Z

Link: CVE-2026-25453

cve-icon Vulnrichment

Updated: 2026-02-20T17:44:33.025Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:24.720

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25453

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:30:06Z

Weaknesses