CVE-2024-4365

Name of the Vulnerable Software and Affected Versions Advanced iFrame plugin for WordPress versions up to and including 2024.3

Description The issue arises from insufficient input sanitization and output escaping, allowing authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts in pages via the add iframe url as param direct parameter. This enables the execution of injected scripts whenever a user accesses an injected page.

Recommendations For Advanced iFrame plugin for WordPress versions up to and including 2024.3, consider disabling the add iframe url as param direct parameter until a patch is available to prevent exploitation.