CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4365 – Advanced iFrame <= 2024.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-4365
The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘add_iframe_url_as_param_direct’ parameter in versions up to, and including, 2024.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Advanced iFrame para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del parámetro 'add_iframe_url_as_param_direct' en versiones hasta la 2024.3 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con permisos de nivel de colaborador y superiores, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/advanced-iframe/trunk/includes/advanced-iframe-main-after-iframe.php#L30 https://plugins.trac.wordpress.org/changeset/3090438 https://www.wordfence.com/threat-intel/vulnerabilities/id/21990e54-c3a2-4bca-b164-132ad456e651?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1341 – Advanced iFrame <= 2024.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-1341
The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's advanced_iframe shortcode in all versions up to, and including, 2024.1 due to the plugin allowing users to include JS files from external sources through the additional_js attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Advanced iFrame para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del código corto advanced_iframe del complemento en todas las versiones hasta la 2024.1 incluida, debido a que el complemento permite a los usuarios incluir archivos JS de fuentes externas a través del atributo adicional_js. Esto hace posible que atacantes autenticados con permisos de nivel de colaborador y superiores inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3042304%40advanced-iframe&new=3042304%40advanced-iframe&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/699e5c80-8a11-4f67-8b17-41170d9c6411?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24870 – WordPress Advanced iFrame Plugin <= 2023.10 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2024-24870
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Dempfle Advanced iFrame allows Stored XSS.This issue affects Advanced iFrame: from n/a through 2023.10. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en Michael Dempfle Advanced iFrame permite almacenar XSS. Este problema afecta a Advanced iFrame: desde n/a hasta 2023.10. • https://patchstack.com/database/vulnerability/advanced-iframe/wordpress-advanced-iframe-plugin-2023-10-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51690 – WordPress Advanced iFrame Plugin <= 2023.8 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-51690
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Advanced iFrame allows Stored XSS.This issue affects Advanced iFrame: from n/a through 2023.8. La vulnerabilidad de neutralización incorrecta de la entrada durante de generación de páginas web ('Cross-site Scripting') en Advanced iFrame permite XSS almacenado. Este problema afecta a Advanced iFrame: desde n/a hasta 2023.8. • https://patchstack.com/database/vulnerability/advanced-iframe/wordpress-advanced-iframe-plugin-2023-8-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-7069 – Advanced iFrame <= 2023.10 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-7069
The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2023.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-24870 is likely a duplicate of this issue. El complemento Advanced iFrame para WordPress es vulnerable a cross site scripting almacenado a través del código corto 'advanced_iframe' del complemento en todas las versiones hasta la 2023.10 incluida debido a una sanitización de entrada insuficiente y a un escape de salida en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados con permisos de nivel de colaborador y superiores inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3027702%40advanced-iframe&new=3027702%40advanced-iframe&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/2e32c51d-2d96-4545-956f-64f65c54b33b?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •