Vulnerability Description
The iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `iframe` shortcode in versions up to, and including, 4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permission and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This was partially patched in version 4.6 and fully patched in version 4.7.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Iframe Project | Iframe | < 4.7 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/iframe/tags/4.5/iframe.php#L28Exploit
- https://plugins.trac.wordpress.org/browser/iframe/tags/4.5/iframe.php#L40Exploit
- https://plugins.trac.wordpress.org/changeset/2970787/iframe#file4Patch
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3706deed-55f2-4dfb-bfePatchThird Party Advisory
- https://plugins.trac.wordpress.org/browser/iframe/tags/4.5/iframe.php#L28Exploit
- https://plugins.trac.wordpress.org/browser/iframe/tags/4.5/iframe.php#L40Exploit
- https://plugins.trac.wordpress.org/changeset/2970787/iframe#file4Patch
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3706deed-55f2-4dfb-bfePatchThird Party Advisory
FAQ
What is CVE-2023-4919?
CVE-2023-4919 is a vulnerability with a CVSS score of 6.4 (MEDIUM). The iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `iframe` shortcode in versions up to, and including, 4.6 due to insufficient input sanitization and output escaping...
How severe is CVE-2023-4919?
CVE-2023-4919 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-4919?
Check the references section above for vendor advisories and patch information. Affected products include: Iframe Project Iframe.