CVE CyberSecurity Database News

CVE-2024-4365 - How a WordPress Plugin Opened Doors with a Stored XSS Vulnerability

Poster -

The Advanced iFrame plugin is a popular tool for WordPress sites. It lets site owners embed content from other pages in an easy, customizable iFrame. But sometimes powerful features come with risks, and in this case, a security hole was found that could let hackers inject nasty scripts on your website—stealing cookies, hijacking accounts, or even defacing your pages.

Let's break down what CVE-2024-4365 is, how it works, and how you can protect yourself.

What is CVE-2024-4365?

CVE-2024-4365 is a vulnerability classified as Stored Cross-Site Scripting (XSS) in the Advanced iFrame plugin for WordPress. The bug affects plugin versions up to and including 2024.3.

What’s the Risk?

An attacker with contributor-level access (or higher) on your website can store JavaScript code using the add_iframe_url_as_param_direct parameter. Anyone who visits a page with the infected iframe will have the attacker's code run in their browser. It’s especially dangerous, because it lets the attacker:

The Technical Dirt

The plugin doesn’t properly sanitize (clean up) or escape (safely display) user input that lands in the add_iframe_url_as_param_direct parameter. That means if someone puts in a chunk of code like <script>alert("Hacked!")</script>, it ends up being stored and displayed as real code, not harmless text.

Bad Code Example (Inside Plugin Logic)

// This code simply takes user input and echoes it—no sanitization!
echo $_POST['add_iframe_url_as_param_direct'];

What It Should Look Like

// Sanitize before output
echo esc_html($_POST['add_iframe_url_as_param_direct']);

Real-World Exploit Example

Suppose an attacker with contributor-level permissions creates a post and uses the plugin’s shortcode like this:

[advanced_iframe add_iframe_url_as_param_direct="<script>alert('XSS by Hacker');</script>"]

When an admin or other visitor loads this page, their browser will execute the <script> tag—just as if the hacker themselves had typed it.

`

[advanced_iframe add_iframe_url_as_param_direct=""]

Save and publish the post.

5. Anyone opening the page sees an alert box from the injected script. Attackers could replace alert('XSS!') with anything—stealing user data or redirecting to malicious sites.

WordPress sites running the Advanced iFrame plugin up to version 2024.3

- Sites that allow untrusted users with *contributor* or higher permissions to create or edit posts using the plugin

How Do I Fix It?

Upgrade to the latest version! The plugin developer has fixed this in versions newer than 2024.3.

Update Advanced iFrame from your WordPress dashboard, or

2. Download the latest release from the official WordPress plugin page

More Reading & Sources

- Wordfence Threat Post on CVE-2024-4365
- NIST National Vulnerability Database – CVE-2024-4365
- Advanced iFrame Plugin on WordPress.org

Conclusion

Stored XSS vulnerabilities like the one in CVE-2024-4365 are particularly dangerous on platforms like WordPress, where plugins are widely used and many users have content creation privileges. Always keep your plugins up-to-date and limit contributor permissions when possible.

If you suspect your site was vulnerable, check for unexpected code in posts using Advanced iFrame, and update immediately. Let’s keep WordPress safe—one patch at a time!

Timeline

Published on: 05/23/2024 17:15:31 UTC
Last modified on: 06/04/2024 17:56:24 UTC