{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6987", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-01T20:42:43.684Z", "datePublished": "2025-07-26T06:43:21.917Z", "dateUpdated": "2026-04-08T16:58:54.422Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:54.422Z"}, "affected": [{"vendor": "mdempfle", "product": "Advanced iFrame", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2025.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2025.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Advanced iFrame <= 2025.5 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6acb99eb-d61c-4d1f-b399-32db07c7e3e7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-iframe/trunk/advanced-iframe.php#L725"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-iframe/trunk/includes/advanced-iframe-main-read-config.php"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-iframe/trunk/includes/advanced-iframe-main-iframe.php#L419"}, {"url": "https://plugins.trac.wordpress.org/changeset/3329909/advanced-iframe/trunk/includes/advanced-iframe-main-read-config.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-07-24T18:06:15.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-07-25T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-28T16:04:34.220392Z", "id": "CVE-2025-6987", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-28T16:04:39.330Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6987", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-28T16:04:34.220392Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-28T16:04:36.472Z"}}], "cna": {"title": "Advanced iFrame <= 2025.5 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "mdempfle", "product": "Advanced iFrame", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2025.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-24T18:06:15.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-07-25T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6acb99eb-d61c-4d1f-b399-32db07c7e3e7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-iframe/trunk/advanced-iframe.php#L725"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-iframe/trunk/includes/advanced-iframe-main-read-config.php"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-iframe/trunk/includes/advanced-iframe-main-iframe.php#L419"}, {"url": "https://plugins.trac.wordpress.org/changeset/3329909/advanced-iframe/trunk/includes/advanced-iframe-main-read-config.php"}], "descriptions": [{"lang": "en", "value": "The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2025.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:54.422Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6987", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:58:54.422Z", "dateReserved": "2025-07-01T20:42:43.684Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-26T06:43:21.917Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2025.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Advanced iFrame para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del shortcode 'advanced_iframe' en todas las versiones hasta la 2025.5 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-6987", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-26T07:15:25.770", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/advanced-iframe/trunk/advanced-iframe.php#L725"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/advanced-iframe/trunk/includes/advanced-iframe-main-iframe.php#L419"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/advanced-iframe/trunk/includes/advanced-iframe-main-read-config.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3329909/advanced-iframe/trunk/includes/advanced-iframe-main-read-config.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6acb99eb-d61c-4d1f-b399-32db07c7e3e7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T04:02:40.916829+00:00", "value": {"mitigation_remediation": ["Check the vendor\u2019s website or the WordPress plugin repository for an updated version of the Advanced\u00a0iFrame plugin that resolves the XSS issue and install it immediately", "If no patch is available right now, permanently remove or disable the 'advanced_iframe' shortcode from posts, pages, or templates to eliminate the attack surface", "Restrict the Contributor role so that users who cannot edit shortcodes are not permitted to add or modify 'advanced_iframe' content, thereby limiting the potential for exploitation."], "summary": {"action": "Update Plugin", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All WordPress sites that have installed mdempfle\u2019s Advanced\u00a0iFrame plugin with a version no newer than 2025.5 are vulnerable. The flaw resides in the rendering of the shortcode, so any site that uses this shortcode\u2014regardless of theme or other plugins\u2014is impacted.", "description_and_impact": "The Advanced\u00a0iFrame plugin for WordPress contains a stored cross\u2011site scripting flaw in the 'advanced_iframe' shortcode: the plugin fails to properly sanitize or escape user\u2011supplied attributes. An authenticated user with contributor or higher privileges can inject arbitrary JavaScript payloads into a page title or description, and that payload is stored in the database and subsequently rendered whenever any visitor opens the page. The injected script executes in the visitor\u2019s browser, potentially allowing an attacker to steal session cookies, deface content, or load additional malicious resources. The effect is that a single malicious contributor can compromise the browsers of any user who views the affected page.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. The EPSS score of less than 1% suggests that exploitation attempts are currently rare. The vulnerability is not listed in the CISA KEV catalog, meaning there are no confirmed large\u2011scale exploit campaigns at this time. Attack requires that the user be authenticated with at least contributor privileges, narrowing the attacker pool to users who have been granted editing access. Based on the description, the likely attack vector is the execution of injected scripts in ordinary users\u2019 browsers when they view an affected page; this inference follows from the stored\u2011content nature of the flaw."}}}}, "created": "2025-07-28T12:45:45.939321+00:00", "updated": "2026-04-22T04:15:07.534320+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}