CVE-2023-7069 in Advanced iFrame Plugininfo

Summary

by MITRE • 02/01/2024

The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2023.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-24870 is likely a duplicate of this issue.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/11/2026

The Advanced iFrame plugin for WordPress represents a significant security vulnerability classified as CVE-2023-7069, affecting all versions up to and including 2023.10. This vulnerability manifests as a stored cross-site scripting flaw within the plugin's advanced_iframe shortcode implementation, creating a persistent threat vector that can compromise user sessions and execute malicious code on affected websites. The vulnerability specifically arises from inadequate input sanitization and output escaping mechanisms that fail to properly validate or escape user-supplied attributes passed to the shortcode functionality.

The technical exploitation of this vulnerability requires an authenticated attacker possessing contributor-level permissions or higher, which represents a concerning privilege escalation risk within WordPress environments. Attackers can leverage this weakness by injecting malicious scripts through the shortcode attributes, which are then stored within the WordPress database and executed whenever legitimate users access pages containing the compromised content. This stored nature of the vulnerability means that the malicious payloads persist even after the initial injection, creating a long-term threat that can affect multiple users over extended periods. The vulnerability directly maps to CWE-79, which specifically addresses Cross-Site Scripting flaws, and aligns with ATT&CK technique T1566.001 for Initial Access through spearphishing attachments or links.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform session hijacking, steal user credentials, redirect victims to malicious websites, or even escalate privileges within the compromised WordPress installation. The fact that this affects authenticated users with contributor permissions means that organizations with less stringent permission controls may face increased risk, as these roles typically have the ability to create and edit content. The vulnerability's presence in the advanced_iframe shortcode suggests that any website utilizing this plugin for embedding external content faces potential compromise, particularly in environments where content contributors have elevated privileges. This creates a substantial risk for businesses and organizations that rely on WordPress for content management and may have less sophisticated security monitoring in place to detect such persistent threats.

Mitigation strategies should prioritize immediate plugin updates to versions that address the sanitization and escaping deficiencies, while also implementing additional security measures such as role-based access controls to limit contributor permissions and content review processes. Organizations should conduct thorough security assessments of their WordPress installations to identify any other plugins that may suffer from similar input validation weaknesses. The vulnerability demonstrates the critical importance of proper input sanitization and output escaping in web applications, particularly for plugins that handle user-supplied content. Security monitoring should include detection of unusual shortcode usage patterns and regular scanning for stored malicious content within the WordPress database to prevent exploitation of this and similar vulnerabilities.

Responsible

Wordfence

Reservation

12/21/2023

Disclosure

02/01/2024

Moderation

accepted

CPE

ready

EPSS

0.00315

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!