CVE-2024-1341

Name of the Vulnerable Software and Affected Versions Advanced iFrame plugin for WordPress versions up to, and including, 2024.1

Description The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's advanced iframe shortcode. This vulnerability is due to the plugin allowing users to include JS files from external sources through the additional js attribute. Authenticated attackers with contributor-level and above permissions can inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Recommendations For versions up to, and including, 2024.1, consider disabling the advanced iframe shortcode until a patch is available to prevent exploitation. Restrict access to the additional js attribute to minimize the risk of arbitrary web script injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.