The Advanced iFrame plugin for WordPress suffers from a stored cross-site scripting vulnerability (CWE-79) in all versions up to and including 2024.5. This vulnerability is due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'src' attribute in the 'advanced_iframe' shortcode. Authenticated attackers with contributor-level permissions or higher can inject malicious scripts via the 'src' attribute when it returns a header containing injected values. These scripts execute in the context of users visiting the compromised pages, potentially leading to session hijacking or other script-based attacks. The CVSS 3.1 base score is 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, required privileges, no user interaction, scope change, and limited confidentiality and integrity impact without availability impact. No patch or official fix is currently documented.

Successful exploitation allows authenticated users with contributor-level access or higher to inject persistent malicious scripts into pages using the Advanced iFrame plugin. These scripts execute in the browsers of users who view the affected pages, potentially compromising confidentiality and integrity of user data within the affected site context. The vulnerability does not impact availability. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, limit contributor-level access to trusted users only and consider disabling or removing the Advanced iFrame plugin if feasible. Monitor vendor channels for updates and apply patches promptly once available.