Does Advanced iFrame have any unpatched vulnerabilities?

Yes — Advanced iFrame currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Advanced iFrame compatible with WordPress 6.9.4?

According to WordPress.org data, Advanced iFrame 2026.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Advanced iFrame compatible with PHP 7.4+?

Advanced iFrame requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Advanced iFrame updated?

Advanced iFrame was last updated on Mar 5, 2026. Frequent updates are generally a positive security signal.

What is Advanced iFrame's security score?

Advanced iFrame has a WP-Safety security score of 72/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Advanced iFrame Security & Risk Analysis

wordpress.org/plugins/advanced-iframe

Include content the way YOU like in an iframe that can hide and modify elements, does auto-height, forward parameters and does many, many more...

40K active installs v2026.0 PHP 7.4+ WP 5.5+ Updated Mar 5, 2026

embediframemodify-cssresizeshortcode

B · Generally Safe

CVEs total12

Unpatched1

Last CVEJan 19, 2026

Plugin page Download

Safety Verdict

Is Advanced iFrame Safe to Use in 2026?

Mostly Safe

Score 72/100

Advanced iFrame is generally safe to use. 12 past CVEs were resolved. Keep it updated.

12 known CVEs 1 unpatched Last CVE: Jan 19, 2026Updated 28d ago

Risk Assessment

The advanced-iframe plugin v2026.0 exhibits a mixed security posture. While it boasts a relatively small attack surface with no immediately apparent unprotected entry points in the static analysis, and a decent number of nonce and capability checks, several concerning signals emerge from the code analysis and vulnerability history. The fact that 100% of its single SQL query does not use prepared statements is a significant risk, potentially opening the door to SQL injection vulnerabilities. Furthermore, a concerning 64% of its output escaping is not properly handled, indicating a high potential for Cross-Site Scripting (XSS) vulnerabilities. The taint analysis also reveals a high severity flow with unsanitized paths, which requires immediate attention. The plugin's history of 12 known CVEs, even though none are currently marked as critical or high, and the presence of one unpatched medium vulnerability, suggests a recurring pattern of security weaknesses, primarily related to improper input validation and XSS. This history, coupled with the current code signals, indicates that while the plugin attempts some security measures, there are fundamental flaws in how it handles user-supplied data and generates output, which could be exploited.

In conclusion, while the plugin has strengths like a controlled attack surface and some security checks, the significant number of historical vulnerabilities, the lack of prepared statements for SQL queries, the substantial amount of unescaped output, and the high-severity taint flow present a considerable risk. Users should exercise caution and prioritize patching any known vulnerabilities, alongside careful review of the plugin's code for the identified issues.

Key Concerns

Unpatched CVE
Raw SQL without prepare
High severity taint flow
High percentage of unescaped output
Bundled outdated library Freemius v1.0

Vulnerabilities

Advanced iFrame Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

1 CVE in 2023

2023

4 CVEs in 2024

2024

5 CVEs in 2025

2025

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

Medium

12 total CVEs

CVE-2026-25453medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advanced iFrame <= 2025.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 19, 2026Unpatched

CVE-2025-8089medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advanced iFrame <= 2025.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Aug 15, 2025 Patched in 2025.7 (1d)

CVE-2025-6987medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advanced iFrame <= 2025.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jul 25, 2025 Patched in 2025.6 (1d)

CVE-2025-1439medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advanced iFrame <= 2024.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Host Header

Mar 25, 2025 Patched in 2025.0 (1d)

CVE-2025-1437medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advanced iFrame <= 2025.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 25, 2025 Patched in 2025.3 (135d)

CVE-2025-1440medium · 5.3Improper Input Validation

Advanced iFrame <= 2024.5 - Unauthenticated Settings Update

Mar 25, 2025 Patched in 2025.0 (1d)

CVE-2024-4365medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advanced iFrame <= 2024.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 22, 2024 Patched in 2024.4 (2d)

CVE-2024-32079medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advanced iFrame <= 2024.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Apr 11, 2024 Patched in 2024.3 (7d)

CVE-2024-1341medium · 4.9Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advanced iFrame <= 2024.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 28, 2024 Patched in 2024.2 (1d)

CVE-2023-7069medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advanced iFrame <= 2023.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 31, 2024 Patched in 2024.0 (181d)

CVE-2023-4775medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advanced iFrame <= 2023.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Nov 9, 2023 Patched in 2023.9 (75d)

CVE-2021-24953medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advanced iFrame <= 2021.9 Reflected Cross-Site Scripting

Feb 2, 2022 Patched in 2022 (720d)

Code Analysis

Analyzed Mar 16, 2026

Advanced iFrame Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

235

134 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

jQueryFreemius1.0

SQL Query Safety

0% prepared1 total queries

Output Escaping

36% escaped369 total outputs

Data Flows

6 unsanitized

Data Flow Analysis

9 flows6 with unsanitized paths

aiCheckRedirect (advanced-iframe.php:462)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Advanced iFrame Attack Surface

Entry Points7

Unprotected0

AJAX Handlers 4

authwp_ajax_aip_map_url_actionadvanced-iframe.php:1758

noprivwp_ajax_aip_map_url_actionadvanced-iframe.php:1759

authwp_ajax_aip_close_message_permanentadvanced-iframe.php:1760

noprivwp_ajax_aip_close_message_permanentadvanced-iframe.php:1761

Shortcodes 3

[advanced_iframe] advanced-iframe.php:1738

[advanced-iframe] advanced-iframe.php:1739

[ai_advanced_js_local] advanced-iframe.php:1740

WordPress Hooks 33

filterconnect_message_on_updateadvanced-iframe.php:90

actionafter_uninstalladvanced-iframe.php:91

filteris_pricing_page_visibleadvanced-iframe.php:92

filterdefault_currencyadvanced-iframe.php:93

actionmedia_buttonsadvanced-iframe.php:1718

actionadmin_menuadvanced-iframe.php:1721

actioninitadvanced-iframe.php:1722

actionadmin_enqueue_scriptsadvanced-iframe.php:1723

actionwp_enqueue_scriptsadvanced-iframe.php:1724

actionwp_footeradvanced-iframe.php:1725

actionadmin_noticesadvanced-iframe.php:1726

actionai_check_iframes_eventadvanced-iframe.php:1728

actionwpadvanced-iframe.php:1729

actionsend_headersadvanced-iframe.php:1730

actionplugins_loadedadvanced-iframe.php:1731

actionparse_requestadvanced-iframe.php:1732

actiontemplate_redirectadvanced-iframe.php:1733

actionwp_headadvanced-iframe.php:1734

actionswitch_themeadvanced-iframe.php:1735

actionupgrader_process_completeadvanced-iframe.php:1744

filtercontent_edit_preadvanced-iframe.php:1746

filterthe_contentadvanced-iframe.php:1747

filterai_handle_temp_pagesadvanced-iframe.php:1748

filterwidget_textadvanced-iframe.php:1749

filterwidget_textadvanced-iframe.php:1750

filterplugin_action_linksadvanced-iframe.php:1751

filterpreview_post_linkadvanced-iframe.php:1752

filtercontent_save_preadvanced-iframe.php:1755

actionwidgets_initadvanced-iframe.php:1789

filtersite_transient_update_pluginsadvanced-iframe.php:1791

filterauto_update_pluginadvanced-iframe.php:1792

filterplugin_row_metaadvanced-iframe.php:1916

filterplugin_row_metaadvanced-iframe.php:1918

Scheduled Events 1

ai_check_iframes_event

Maintenance & Trust

Advanced iFrame Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 5, 2026

PHP min version7.4

Downloads2.4M

Community Trust

Rating86/100

Number of ratings55

Active installs40K

Alternatives

Advanced iFrame Alternatives

Pym.js Embeds

pym-shortcode

A WordPress block and shortcode for embedding iframes that are responsive horizontally and vertically, using the NPR Visuals Team's Pym.js.

90 No CVEs

embedX

embedx

100

Show iframes easily on WordPress.

0 No CVEs

iframe

[iframe src="http://www.youtube.com/embed/7_nAZQt9qu0" width="100%" height="500"] shortcode

70K 6 CVEs

Insert Pages

insert-pages

Insert Pages lets you embed any WordPress content (e.g., pages, posts, custom post types) into other WordPress content using the Shortcode API.

40K 4 CVEs

Embed Privacy

embed-privacy

100

Embed Privacy prevents the loading of embedded external content and allows your site visitors to opt-in.

10K 1 CVE

Developer Profile

Advanced iFrame Developer Profile

mdempfle

2 plugins · 40K total installs

trust score

Avg Security Score

79/100

Avg Patch Time

102 days

View full developer profile

Detection Fingerprints

How We Detect Advanced iFrame

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/advanced-iframe/aip-admin.css/wp-content/plugins/advanced-iframe/aip-admin.js/wp-content/plugins/advanced-iframe/advanced-iframe.js/wp-content/plugins/advanced-iframe/advanced-iframe.css/wp-content/plugins/advanced-iframe/img/advanced-iframe.png

Script Paths

/wp-content/plugins/advanced-iframe/aip-admin.js/wp-content/plugins/advanced-iframe/advanced-iframe.js

Version Parameters

/wp-content/plugins/advanced-iframe/aip-admin.css?ver=/wp-content/plugins/advanced-iframe/aip-admin.js?ver=/wp-content/plugins/advanced-iframe/advanced-iframe.js?ver=/wp-content/plugins/advanced-iframe/advanced-iframe.css?ver=

HTML / DOM Fingerprints

CSS Classes

advanced_iframeaip-admin-inputaip-admin-label

HTML Comments

Data Attributes

data-advanced-iframe-wrapperdata-advanced-iframe-id

JS Globals

advanced_iframe_options

Shortcode Output

[advanced_iframe

FAQ