CVE-2024-4365 – Advanced iFrame <= 2024.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-4365
The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘add_iframe_url_as_param_direct’ parameter in versions up to, and including, 2024.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Advanced iFrame para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del parámetro 'add_iframe_url_as_param_direct' en versiones hasta la 2024.3 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con permisos de nivel de colaborador y superiores, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/advanced-iframe/trunk/includes/advanced-iframe-main-after-iframe.php#L30 https://plugins.trac.wordpress.org/changeset/3090438 https://www.wordfence.com/threat-intel/vulnerabilities/id/21990e54-c3a2-4bca-b164-132ad456e651?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-1341 – Advanced iFrame <= 2024.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-1341
The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's advanced_iframe shortcode in all versions up to, and including, 2024.1 due to the plugin allowing users to include JS files from external sources through the additional_js attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Advanced iFrame para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del código corto advanced_iframe del complemento en todas las versiones hasta la 2024.1 incluida, debido a que el complemento permite a los usuarios incluir archivos JS de fuentes externas a través del atributo adicional_js. Esto hace posible que atacantes autenticados con permisos de nivel de colaborador y superiores inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3042304%40advanced-iframe&new=3042304%40advanced-iframe&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/699e5c80-8a11-4f67-8b17-41170d9c6411?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •