WordPress Plugin Vulnerability Report – Advanced iFrame – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode – CVE-2023-4775
Plugin Name: Advanced iFrame
Key Information:
- Software Type: Plugin
- Software Slug: advanced-iframe
- Software Status: Active
- Software Author: mdempfle
- Software Downloads: 1,768,520
- Active Installs: 60,000
- Last Updated: November 9, 2023
- Patched Versions: 2023.9
- Affected Versions: <= 2023.8
Vulnerability Details:
- Name: Advanced iFrame <= 2023.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2023-4775
- CVSS Score: 6.4 (Medium)
- Publicly Published: November 9, 2023
- Researcher: István Márton
- Description: The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'advanced_iframe' shortcode in versions up to, and including, 2023.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The Advanced iFrame plugin for WordPress has a vulnerability in versions up to and including 2023.8 that allows authenticated users with contributor level access or higher to inject arbitrary JavaScript payloads into pages using the advanced_iframe shortcode. This vulnerability has been patched in version 2023.9.
Detailed Overview:
The Advanced iFrame plugin allows contributors and authors to embed iframes into pages using the advanced_iframe shortcode. However, insufficient sanitization of the shortcode attributes makes it possible to inject arbitrary JavaScript payloads. This allows attackers with contributor access or higher to store cross-site scripting payloads that will execute whenever a victim views a compromised page.
This vulnerability was privately disclosed to the plugin author István Márton on November 9, 2023 and has been patched in version 2023.9. All Advanced iFrame users are advised to update immediately to avoid potential compromise. The impact of this vulnerability is increased for sites where contributors regularly author content.
Advice for Users:
- Immediate Action: Update to version 2023.9 or higher to patch this vulnerability.
- Check for Signs of Vulnerability: Review recent edits by contributors for potential malicious injections.
- Alternate Plugins: Consider using alternate iframe plugins like Embed iframe or oEmbed iframe as a precaution.
- Stay Updated: Always keep your plugins updated to avoid known vulnerabilities.
Conclusion:
The quick response by the plugin author to address this vulnerability is appreciated. Users should install version 2023.9 immediately to prevent potential compromise of their WordPress sites. Proper restrictions on user roles and careful auditing of content is advised.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/advanced-iframe
Detailed Report:
Keeping your WordPress website secure requires constant vigilance - new vulnerabilities are discovered regularly that can put your site at risk if left unpatched. Recently, a serious stored cross-site scripting (XSS) vulnerability was disclosed in the popular Advanced iFrame plugin, which is active on over 60,000 WordPress sites.
This vulnerability allows authenticated users with contributor access or higher to inject malicious JavaScript payloads into pages that will execute whenever a visitor loads the page. This puts your site visitors at risk of credential theft, site defacement, malware injection and more.
The good news is that the plugin author has acted quickly to patch the vulnerability in the latest release. However, many sites may still be running older, vulnerable versions of the plugin.
In this post, we'll provide an overview of the vulnerability, specific risks, and steps you can take to secure your website.
Overview of the Advanced iFrame Plugin
Advanced iFrame is a widely used plugin with over 1.7 million downloads that allows embedding iframes into WordPress pages and posts using shortcodes. It has handy features like auto-height adjustment and keeps iframe content isolated from the rest of the page.
With over 60,000 active installs, many sites rely on Advanced iFrame for easily embedding videos, maps, forms and more.
Vulnerability Allows Stored XSS Attacks
The vulnerability, tracked as CVE-2023-4775, makes it possible to inject arbitrary JavaScript payloads into pages that support the advanced_iframe shortcode.
Specifically, the shortcode does not properly sanitize user-supplied attributes before outputting them in the iframe embed code.
This means any user with contributor access or above can embed malicious scripts that will execute when a page visitor loads the compromised page. The scripts can do things like steal session cookies, redirect to phishing sites, or insert hidden malware downloads.
Risks and Potential Impacts
This is a serious vulnerability since it can lead to compromise of both site visitors and administrators. Potential impacts include:
- Session hijacking and credential theft by stealing admin cookies
- Defacement of website content
- Malware downloads or crypto mining injected into site pages
- Phishing content added to steal visitor credentials
- Spamming content added to pages
- SEO impact from malicious links and content
Attackers could use stored XSS to gain a foothold on vulnerable sites and fully compromise the site and server if not patched.
Versions Affected
The vulnerability affects all versions of Advanced iFrame up to and including 2023.8.
Version 2023.9 fixes the vulnerability by properly sanitizing shortcode attributes before output.
How to Check if Your Site is Vulnerable
To check if your site is affected, simply go to Plugins > Installed Plugins and check the version of Advanced iFrame.
If it is 2023.8 or lower, you are vulnerable and must update.
How to Update and Patch
Fortunately, fixing this issue is straightforward:
- Back up your site fully
- Update Advanced iFrame to version 2023.9 or higher
- Check your site for any signs of compromise
The developer acted quickly to patch the vulnerability, so updating plugins is all that is needed.
Be sure to backup before updating in case you need to roll back. And check your content, files, and database for any malicious injections after updating.
Previous Vulnerabilities
This is not the first vulnerability found in Advanced iFrame. One previous XSS vulnerability was patched earlier in 2022.
This underscores the importance of promptly updating WordPress and all plugins when new releases come out to fix security issues.
Conclusion
This vulnerability highlights why it is critical to keep your plugins updated, especially ones that allow user-generated content like Advanced iFrame.
While the developer has released a patch, many sites likely still run vulnerable versions and are at risk.
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.