[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4751GEQRFz6E7tOQZH5UurzM5XHfp3irkQgR3qE7fn0":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":29,"last_vuln_date":30,"fetched_at":31,"vulnerabilities":32,"developer":179,"crawl_stats":38,"alternatives":185,"analysis":293,"fingerprints":1096},"advanced-iframe","Advanced iFrame","2026.0","mdempfle","https:\u002F\u002Fprofiles.wordpress.org\u002Fmdempfle\u002F","\u003Cblockquote>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.advanced-iframe.com\u002F\" rel=\"nofollow ugc\">New website: advanced-iframe.com\u003C\u002Fa>\u003C\u002Fstrong>\u003Cbr \u002F>\n  \u003Cstrong>\u003Ca href=\"https:\u002F\u002Fwww.advanced-iframe.com\u002Fadvanced-iframe\u002Fdemo-advanced-iframe-2-0\" rel=\"nofollow ugc\">Demo\u003C\u002Fa>\u003C\u002Fstrong>\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>Include content the way YOU like in an iframe that can hide and modify elements, does auto height, forward parameters and does many, many more…\u003C\u002Fp>\n\u003Ch4>Main features of advanced iframe\u003C\u002Fh4>\n\u003Cp>By entering the shortcode ‘[advanced_iframe]’ you can include any webpage to any page or article.\u003C\u002Fp>\n\u003Cp>Advanced iFrame now has out of the box support for embedded 3D models using the p3d 3D viewer. Go to https:\u002F\u002Fp3d.in\u002Fb\u002F24 and download a pre-configured plugin where the model does scale already nicely on all devices. Get started for free! If you need more storage or access to the Premium features of p3d.in, you can get a 50% discount on your first payment with the coupon AIFRAME on checkout.\u003C\u002Fp>\n\u003Cp>The following cool features compared to a normal iframe are implemented:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Hide areas of the layout to give the iframe more space (see screenshot)\u003C\u002Fli>\n\u003Cli>Show only specific areas of the iframe when the iframe is on a same domain (The Pro version supports this on different domains) or include parts directly by jQuery\u003C\u002Fli>\n\u003Cli>Modify css styles in the parent and the iframe to e.g. change the width of the content area (see screen-shot)\u003C\u002Fli>\n\u003Cli>Forward parameters to the iframe\u003C\u002Fli>\n\u003Cli>Resize the iframe to the content height or width on loading, AJAX or click\u003C\u002Fli>\n\u003Cli>Responsive videos (moved from the pro to the the free version in v2022)\u003C\u002Fli>\n\u003Cli>Scroll the parent to the top when the iframe is loaded\u003C\u002Fli>\n\u003Cli>Hide the content until it is fully loaded\u003C\u002Fli>\n\u003Cli>Add a css and js file to the parent page\u003C\u002Fli>\n\u003Cli>Security code: You can only insert the shortcode with a valid security code from the administration.\u003C\u002Fli>\n\u003Cli>Many additional cool features are available the pro version – see https:\u002F\u002Fwww.advanced-iframe.com\u002Fadvanced-iframe\u002Fadvanced-iframe-comparison-chart\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>In the free version you can update to the pro version directly or test all features in the 30 days trial!\u003C\u002Fp>\n\u003Cp>Please note: Modification inside the iframe are only possible if you are on the same domain or use a workaround like described in the settings.\u003C\u002Fp>\n\u003Cp>So please check first if the iframe page and the parent page are one the same domain. www.example.com and text.example.com are different domains! Please check in the documentation if you can use the feature you like\u003C\u002Fp>\n\u003Cp>A free iframe checker is available at\u003Cbr \u002F>\nhttps:\u002F\u002Fwww.advanced-iframe.com\u002Fadvanced-iframe\u002Ffree-iframe-checker.\u003Cbr \u002F>\nThis tool does check if a page is allowed to be included!\u003C\u002Fp>\n\u003Cp>All settings can be set with shortcode attributes as well. If you only use one iframe please use the settings in the administration because there each parameter is explained in detail and also the defaults are set there.\u003C\u002Fp>\n\u003Ch4>Limitations of the free version\u003C\u002Fh4>\n\u003Cp>The free version has no functional restrictions and is for personal and small non-commercial sites. After 10.000 views\u002Fmonth you have to opt-in to get unlimited views. If you do not opt-in the iframe is still working 100% and at the bottom of the iframe a small notice to opt-in is shown.\u003C\u002Fp>\n\u003Ch4>Upgrading to Advanced IFrame Pro\u003C\u002Fh4>\n\u003Cp>It’s quick and painless to get Advanced iFrame Pro. Simply sign up for the 30 days trail or buy directly in the plugin. You can than use the plugin on commercial, business, and professional sites and blogs. You furthermore get:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Show only specific areas of the iframe even when the iframe is on different domain\u003C\u002Fli>\n\u003Cli>Graphical content selector: https:\u002F\u002Fwww.mdempfle.de\u002Fdemos\u002Fconfigurator\u002Fadvanced-iframe-area-selector.html\u003C\u002Fli>\n\u003Cli>External workaround supports iframe modifications\u003C\u002Fli>\n\u003Cli>Widget support\u003C\u002Fli>\n\u003Cli>No view limit\u003C\u002Fli>\n\u003Cli>Hide areas of an iframe\u003C\u002Fli>\n\u003Cli>Browser detection\u003C\u002Fli>\n\u003Cli>Change link targets\u003C\u002Fli>\n\u003Cli>URL forward parameter mapping.\u003C\u002Fli>\n\u003Cli>Zoom iframe content\u003C\u002Fli>\n\u003Cli>Accordion menu\u003C\u002Fli>\n\u003Cli>jQuery help\u003C\u002Fli>\n\u003Cli>Advanced lazy load\u003C\u002Fli>\n\u003Cli>Standalone version – can be used in ANY php page!\u003C\u002Fli>\n\u003Cli>And much more…\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>You can find the comparison chart here: https:\u002F\u002Fwww.advanced-iframe.com\u002Fadvanced-iframe\u002Fadvanced-iframe-comparison-chart\u003Cbr \u002F>\nSee the pro demo here:\u003Cbr \u002F>\nhttps:\u002F\u002Fwww.advanced-iframe.com\u002Fadvanced-iframe\u002Fadvanced-iframe-pro-demo\u003C\u002Fp>\n\u003Ch4>Administration\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Go to Settings -> Advanced iFrame\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Quick start guide\u003C\u002Fh4>\n\u003Cp>The quickstart guide is also available as video: https:\u002F\u002Fwww.advanced-iframe.com\u002Fadvanced-iframe\u002Fadvanced-iframe-video-tutorials\u003C\u002Fp>\n\u003Cp>To include a webpage to your page please check the following things first:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Check if your page page is allowed to be included https:\u002F\u002Fwww.advanced-iframe.com\u002Fadvanced-iframe\u002Ffree-iframe-checker!\u003C\u002Fli>\n\u003Cli>Check if the iframe page and the parent page are one the same domain. www.example.com and text.example.com are different domains!\u003C\u002Fli>\n\u003Cli>Can you modify the page that should be included?\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Most likely you have one of the following setups:\u003C\u002Fp>\n\u003Col>\n\u003Cli>iframe cannot be included:  You cannot include the content because the owner does not allow this.\u003C\u002Fli>\n\u003Cli>iframe can be included and you are on a different domain: See the feature comparison chart: https:\u002F\u002Fwww.advanced-iframe.com\u002Fadvanced-iframe\u002Fadvanced-iframe-comparison-chart and the feature overview https:\u002F\u002Fwww.advanced-iframe.com\u002Fadvanced-iframe\u002Fadvanced-iframe-features-availability-overview. To resize the content to the height\u002Fwidth or modify css you need to modify the remote iframe page by adding one line of Javascript to enable the provided workaround.\u003C\u002Fli>\n\u003Cli>iframe can be included and you are on the same domain: All features of the plugin can be used.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>If you mix http and https read https:\u002F\u002Fwww.advanced-iframe.com\u002Fiframe-do-not-mix-http-and-https. Parent https and iframe http does not work on all mayor browsers!\u003C\u002Fp>\n\u003Ch4>Advanced iframe attributes\u003C\u002Fh4>\n\u003Cp>Below you find all possible shortcode attributes. If you only use one iframe please use the settings in the administration because there each parameter is explained in detail and also the defaults are set there.\u003C\u002Fp>\n\u003Cp>Setting an attribute does overwrite the setting in the administration.\u003C\u002Fp>\n\u003Cp>[advanced_iframe securitykey=””   src=””\u003Cbr \u002F>\n  id=””   name=””\u003Cbr \u002F>\n  width=””   height=””\u003Cbr \u002F>\n  marginwidth=””   marginheight=””\u003Cbr \u002F>\n  scrolling=””   frameborder=””\u003Cbr \u002F>\n  class=””   style=””\u003Cbr \u002F>\n  content_id=””   content_styles=””\u003Cbr \u002F>\n  hide_elements=””   url_forward_parameter=””\u003Cbr \u002F>\n  onload=””   onload_resize=””\u003Cbr \u002F>\n  onload_scroll_top=””   onload_show_element_only=””\u003Cbr \u002F>\n  store_height_in_cookie=””   additional_height=””\u003Cbr \u002F>\n  additional_js=””   additional_css=””\u003Cbr \u002F>\n  iframe_content_id=””   iframe_content_styles=””\u003Cbr \u002F>\n  iframe_hide_elements=””  hide_page_until_loaded=””\u003Cbr \u002F>\n  include_hide_page_until_loaded=””\u003Cbr \u002F>\n  include_url=”” include_content=””\u003Cbr \u002F>\n  include_height=””  include_fade=””\u003Cbr \u002F>\n  onload_resize_width=””   resize_on_ajax=””\u003Cbr \u002F>\n  resize_on_ajax_jquery=””   resize_on_click=””\u003Cbr \u002F>\n  resize_on_click_elements=””   use_shortcode_attributes_only=””\u003Cbr \u002F>\n  onload_resize_delay=””\u003Cbr \u002F>\n  ]\u003C\u002Fp>\n","Include content the way YOU like in an iframe that can hide and modify elements, does auto-height, forward parameters and does many, many more...",40000,2370567,86,55,"2026-03-05T21:11:00.000Z","6.9.4","5.5","7.4",[20,21,22,23,24],"embed","iframe","modify-css","resize","shortcode","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fadvanced-iframe\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-iframe.2026.0.zip",72,12,1,"2026-01-19 00:00:00","2026-03-15T15:16:48.613Z",[33,47,60,71,82,94,105,117,129,142,154,166],{"id":34,"url_slug":35,"title":36,"description":37,"plugin_slug":4,"theme_slug":38,"affected_versions":39,"patched_in_version":38,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":30,"updated_date":44,"references":45,"days_to_patch":38},"CVE-2026-25453","advanced-iframe-authenticated-contributor-stored-cross-site-scripting-7","Advanced iFrame \u003C= 2025.10 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2025.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=2025.10","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-26 20:16:24",[46],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdcdcb29e-48d0-4e22-8e11-0c76b4355268?source=api-prod",{"id":48,"url_slug":49,"title":50,"description":51,"plugin_slug":4,"theme_slug":38,"affected_versions":52,"patched_in_version":53,"severity":40,"cvss_score":54,"cvss_vector":55,"vuln_type":43,"published_date":56,"updated_date":57,"references":58,"days_to_patch":29},"CVE-2025-8089","advanced-iframe-authenticated-contributor-stored-cross-site-scripting-6","Advanced iFrame \u003C= 2025.6 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'additional' parameter in version less than, or equal to, 2025.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","\u003C=2025.6","2025.7",5.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:L\u002FA:N","2025-08-15 18:33:05","2025-08-16 06:39:23",[59],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F97985b75-6ac9-4aba-8f76-5633418e7907?source=api-prod",{"id":61,"url_slug":62,"title":63,"description":64,"plugin_slug":4,"theme_slug":38,"affected_versions":65,"patched_in_version":66,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":67,"updated_date":68,"references":69,"days_to_patch":29},"CVE-2025-6987","advanced-iframe-authenticated-contributor-stored-cross-site-scripting-5","Advanced iFrame \u003C= 2025.5 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2025.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","\u003C=2025.5","2025.6","2025-07-25 00:00:00","2025-07-26 06:43:22",[70],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6acb99eb-d61c-4d1f-b399-32db07c7e3e7?source=api-prod",{"id":72,"url_slug":73,"title":74,"description":75,"plugin_slug":4,"theme_slug":38,"affected_versions":76,"patched_in_version":77,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":78,"updated_date":79,"references":80,"days_to_patch":29},"CVE-2025-1439","advanced-iframe-authenticated-contributor-stored-cross-site-scripting-via-host-header","Advanced iFrame \u003C= 2024.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Host Header","The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2024.5 due to insufficient input sanitization and output escaping on user supplied attributes through the 'src' attribute when the src supplied returns a header with an injected value . This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","\u003C=2024.5","2025.0","2025-03-25 21:14:57","2025-03-26 09:21:44",[81],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5ac1145b-5ab1-47a9-9117-4870c52a70fc?source=api-prod",{"id":83,"url_slug":84,"title":85,"description":86,"plugin_slug":4,"theme_slug":38,"affected_versions":87,"patched_in_version":88,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":89,"updated_date":90,"references":91,"days_to_patch":93},"CVE-2025-1437","advanced-iframe-authenticated-contributor-stored-cross-site-scripting-3","Advanced iFrame \u003C= 2025.2 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2025.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This was partially patched in version 2024.5, and later improved in version 2025.3.","\u003C=2025.2","2025.3","2025-03-25 00:00:00","2025-08-07 05:24:28",[92],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F676b4768-98ea-4e55-87de-ef7ae1d7a113?source=api-prod",135,{"id":95,"url_slug":96,"title":97,"description":98,"plugin_slug":4,"theme_slug":38,"affected_versions":76,"patched_in_version":77,"severity":40,"cvss_score":99,"cvss_vector":100,"vuln_type":101,"published_date":89,"updated_date":102,"references":103,"days_to_patch":29},"CVE-2025-1440","advanced-iframe-unauthenticated-settings-update","Advanced iFrame \u003C= 2024.5 - Unauthenticated Settings Update","The Advanced iFrame plugin for WordPress is vulnerable to unauthorized excessive creation of options on the aip_map_url_callback() function in all versions up to, and including, 2024.5 due to insufficient restrictions. This makes it possible for unauthenticated attackers to update the advancediFrameParameterData option with an excessive amount of unvalidated data.",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Improper Input Validation","2025-03-26 09:21:51",[104],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb92913fa-aa1e-40a0-9a48-d730b2102217?source=api-prod",{"id":106,"url_slug":107,"title":108,"description":109,"plugin_slug":4,"theme_slug":38,"affected_versions":110,"patched_in_version":111,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":112,"updated_date":113,"references":114,"days_to_patch":116},"CVE-2024-4365","advanced-iframe-authenticated-contributor-stored-cross-site-scripting","Advanced iFrame \u003C= 2024.3 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘add_iframe_url_as_param_direct’ parameter in versions up to, and including, 2024.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","\u003C=2024.3","2024.4","2024-05-22 00:00:00","2024-05-23 16:30:52",[115],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F21990e54-c3a2-4bca-b164-132ad456e651?source=api-prod",2,{"id":118,"url_slug":119,"title":120,"description":121,"plugin_slug":4,"theme_slug":38,"affected_versions":122,"patched_in_version":123,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":124,"updated_date":125,"references":126,"days_to_patch":128},"CVE-2024-32079","advanced-iframe-authenticated-contributor-stored-cross-site-scripting-via-shortcode","Advanced iFrame \u003C= 2024.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode","The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2024.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","\u003C=2024.2","2024.3","2024-04-11 00:00:00","2024-04-17 21:12:49",[127],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F808ef87d-298c-4622-9fcd-cf879e7157bd?source=api-prod",7,{"id":130,"url_slug":131,"title":132,"description":133,"plugin_slug":4,"theme_slug":38,"affected_versions":134,"patched_in_version":135,"severity":40,"cvss_score":136,"cvss_vector":137,"vuln_type":43,"published_date":138,"updated_date":139,"references":140,"days_to_patch":29},"CVE-2024-1341","advanced-iframe-authenticated-contributor-stored-cross-site-scripting-4","Advanced iFrame \u003C= 2024.1 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's advanced_iframe shortcode in all versions up to, and including, 2024.1 due to the plugin allowing users to include JS files from external sources through the additional_js attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","\u003C=2024.1","2024.2",4.9,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","2024-02-28 00:00:00","2024-02-29 04:31:20",[141],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F699e5c80-8a11-4f67-8b17-41170d9c6411?source=api-prod",{"id":143,"url_slug":144,"title":145,"description":146,"plugin_slug":4,"theme_slug":38,"affected_versions":147,"patched_in_version":148,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":149,"updated_date":150,"references":151,"days_to_patch":153},"CVE-2023-7069","advanced-iframe-authenticated-contributor-stored-cross-site-scripting-2","Advanced iFrame \u003C= 2023.10 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2023.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-24870 is likely a duplicate of this issue.","\u003C=2023.10","2024.0","2024-01-31 00:00:00","2024-07-29 21:36:06",[152],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2e32c51d-2d96-4545-956f-64f65c54b33b?source=api-prod",181,{"id":155,"url_slug":156,"title":157,"description":158,"plugin_slug":4,"theme_slug":38,"affected_versions":159,"patched_in_version":160,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":161,"updated_date":162,"references":163,"days_to_patch":165},"CVE-2023-4775","advanced-iframe-authenticated-contributor-stored-cross-site-scripting-via-shortcode-2","Advanced iFrame \u003C= 2023.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode","The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'advanced_iframe' shortcode in versions up to, and including, 2023.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. \tCVE-2023-51690 appears to be a potential duplicate of this issue.","\u003C=2023.8","2023.9","2023-11-09 00:00:00","2024-01-22 19:56:02",[164],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe9944443-2e71-45c4-8a19-d76863cf66df?source=api-prod",75,{"id":167,"url_slug":168,"title":169,"description":170,"plugin_slug":4,"theme_slug":38,"affected_versions":171,"patched_in_version":172,"severity":40,"cvss_score":173,"cvss_vector":174,"vuln_type":43,"published_date":175,"updated_date":162,"references":176,"days_to_patch":178},"CVE-2021-24953","advanced-iframe-reflected-cross-site-scripting","Advanced iFrame \u003C= 2021.9 Reflected Cross-Site Scripting","The Advanced iFrame WordPress plugin before 2022 does not sanitise and escape the ai_config_id parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue","\u003C=2021.9","2022",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","2022-02-02 00:00:00",[177],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb72dcc68-df81-47ac-bd73-6aee87611b90?source=api-prod",720,{"slug":7,"display_name":7,"profile_url":8,"plugin_count":116,"total_installs":180,"avg_security_score":181,"avg_patch_time_days":182,"trust_score":183,"computed_at":184},40030,79,102,64,"2026-04-03T21:27:25.313Z",[186,208,229,249,270],{"slug":187,"name":188,"version":189,"author":190,"author_profile":191,"description":192,"short_description":193,"active_installs":194,"downloaded":195,"rating":196,"num_ratings":196,"last_updated":197,"tested_up_to":198,"requires_at_least":199,"requires_php":200,"tags":201,"homepage":205,"download_link":206,"security_score":207,"vuln_count":196,"unpatched_count":196,"last_vuln_date":38,"fetched_at":31},"pym-shortcode","Pym.js Embeds","1.3.2.4","Automattic","https:\u002F\u002Fprofiles.wordpress.org\u002Fautomattic\u002F","\u003Cp>Pym.js Embeds provides shortcode and Gutenberg block wrappers for embedding responsive iframes using \u003Ca href=\"http:\u002F\u002Fblog.apps.npr.org\u002Fpym.js\u002F\" rel=\"nofollow ugc\">Pym.js\u003C\u002Fa>, developed by the NPR Visuals Team. Embedded content resizes vertically to match its container’s width.\u003C\u002Fp>\n\u003Cp>AMP compatibility is provided by the \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Famp\u002F\" rel=\"ugc\">official AMP plugin\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch3>Pym.js Resources from NPR\u003C\u002Fh3>\n\u003Cp>You may also want to look at NPR’s Pym.js resources:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fblog.apps.npr.org\u002Fpym.js\u002F\" rel=\"nofollow ugc\">Pym.js homepage\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fnprapps\u002Fpym.js\u002F\" rel=\"nofollow ugc\">Pym.js repo on GutHub\u002Fnprapps\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","A WordPress block and shortcode for embedding iframes that are responsive horizontally and vertically, using the NPR Visuals Team's Pym.js.",90,4430,0,"2020-03-26T18:09:00.000Z","5.4.19","3.0.1","5.3",[202,21,203,204,24],"embeds","javascript","responsive","https:\u002F\u002Fgithub.com\u002FINN\u002Fpym-shortcode","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpym-shortcode.1.3.2.4.zip",85,{"slug":209,"name":210,"version":211,"author":212,"author_profile":213,"description":214,"short_description":215,"active_installs":196,"downloaded":216,"rating":196,"num_ratings":196,"last_updated":217,"tested_up_to":218,"requires_at_least":219,"requires_php":220,"tags":221,"homepage":225,"download_link":226,"security_score":227,"vuln_count":196,"unpatched_count":196,"last_vuln_date":38,"fetched_at":228},"embedx","embedX","1.0.0","Liton Arefin","https:\u002F\u002Fprofiles.wordpress.org\u002Flitonice13\u002F","\u003Cp>Elevate your content creation journey with our user-friendly plugin, seamlessly integrating iframes into the content for a smoother experience.\u003C\u002Fp>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Cp>Simply use [embedx] shortcode with src attribut.Example [embedx src=”https:\u002F\u002Fwordpress.org”]\u003Cbr \u002F>\nyou can also use other parameter (width,height,style,class).\u003Cbr \u002F>\n— width\u003Cbr \u002F>\nfor set width (ex width=”100%”)\u003C\u002Fp>\n\u003Cp>— height\u003Cbr \u002F>\nfor set height (ex height=”100%”)\u003C\u002Fp>\n\u003Cp>— style\u003Cbr \u002F>\nfor add css style (ex style=”overfollow:hidden;height:220px;”)\u003C\u002Fp>\n\u003Cp>— class\u003Cbr \u002F>\nfor add css class (ex class=”yourclass”)\u003C\u002Fp>\n\u003Cp>— login\u003Cbr \u002F>\nit will show iframe data for logged in user.Default is false (ex login=”true”)\u003C\u002Fp>\n","Show iframes easily on WordPress.",485,"","6.5.8","4.0","7.0",[222,20,21,223,224],"conditional-iframe","iframe-by-shortcode","iframe-for-logged-user","https:\u002F\u002Fjeweltheme.com\u002Fembedx","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fembedx.zip",100,"2026-03-15T10:48:56.248Z",{"slug":21,"name":21,"version":230,"author":231,"author_profile":232,"description":233,"short_description":234,"active_installs":235,"downloaded":236,"rating":237,"num_ratings":238,"last_updated":239,"tested_up_to":16,"requires_at_least":240,"requires_php":217,"tags":241,"homepage":245,"download_link":246,"security_score":247,"vuln_count":248,"unpatched_count":196,"last_vuln_date":112,"fetched_at":31},"6.0","webvitaly","https:\u002F\u002Fprofiles.wordpress.org\u002Fwebvitaly\u002F","\u003Cul>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fr.freemius.com\u002F13759\u002F8047958\u002F\" title=\"Advanced iFrame\" rel=\"nofollow ugc\">Advanced iFrame\u003C\u002Fa>\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"http:\u002F\u002Fweb-profile.net\u002Fwordpress\u002Fplugins\u002Fiframe\u002F\" title=\"Plugin page\" rel=\"nofollow ugc\">iframe\u003C\u002Fa>\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"http:\u002F\u002Fweb-profile.net\u002Fdonate\u002F\" title=\"Support the development\" rel=\"nofollow ugc\">Donate\u003C\u002Fa>\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fwebvitalii\u002Fiframe\" title=\"Fork\" rel=\"nofollow ugc\">GitHub\u003C\u002Fa>\u003C\u002Fstrong>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>[iframe src=”http:\u002F\u002Fwww.youtube.com\u002Fembed\u002F7_nAZQt9qu0″ width=”100%” height=”500″] shortcode\u003Cbr \u002F>\nshould show something like this:\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002F7_nAZQt9qu0?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Cp>WordPress removes iframe html tags because of security reasons.\u003Cbr \u002F>\nIframe shortcode is the replacement of the iframe html tag and accepts the same params as iframe html tag does.\u003Cbr \u002F>\nYou may use iframe shortcode to embed content from YouTube, Vimeo, Google Maps or from any external page.\u003C\u002Fp>\n\u003Cp>If you need to embed content from YouTube, Vimeo, SlideShare, SoundCloud, Twitter via direct link, you may use \u003Ccode>[embed]http:\u002F\u002Fwww.youtube.com\u002Fwatch?v=7_nAZQt9qu0[\u002Fembed]\u003C\u002Fcode> shortcode.\u003Cbr \u002F>\n[embed] shortcode is a core WordPress feature and can \u003Ca href=\"https:\u002F\u002Fcodex.wordpress.org\u002FEmbeds\" rel=\"nofollow ugc\">embed content from many resources via direct link\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Important\u003C\u002Fstrong>: You can not embed HTTP pages into HTTPS pages and vice versa.\u003Cbr \u002F>\nSo the protocol (http or httpS) for parent and embedded page should match.\u003C\u002Fp>\n\u003Ch4>iframe params:\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>src\u003C\u002Fstrong> – source of the iframe: \u003Ccode>[iframe src=\"http:\u002F\u002Fwww.youtube.com\u002Fembed\u002F7_nAZQt9qu0\"]\u003C\u002Fcode>; by default src=”http:\u002F\u002Fwww.youtube.com\u002Fembed\u002F7_nAZQt9qu0″;\u003C\u002Fli>\n\u003Cli>\u003Cstrong>width\u003C\u002Fstrong> – width in pixels or in percents: \u003Ccode>[iframe width=\"100%\"]\u003C\u002Fcode> or \u003Ccode>[iframe width=\"600\"]\u003C\u002Fcode>; by default width=”100%”;\u003C\u002Fli>\n\u003Cli>\u003Cstrong>height\u003C\u002Fstrong> – height in pixels: \u003Ccode>[iframe height=\"500\"]\u003C\u002Fcode>; by default height=”500″;\u003C\u002Fli>\n\u003Cli>\u003Cstrong>scrolling\u003C\u002Fstrong> – with or without the scrollbar: \u003Ccode>[iframe scrolling=\"no\"]\u003C\u002Fcode>; by default scrolling=”yes”;\u003C\u002Fli>\n\u003Cli>\u003Cstrong>frameborder\u003C\u002Fstrong> – with or without the frame border: \u003Ccode>[iframe frameborder=\"0\"]\u003C\u002Fcode>; by default frameborder=”0″;\u003C\u002Fli>\n\u003Cli>\u003Cstrong>marginheight\u003C\u002Fstrong> – height of the margin: \u003Ccode>[iframe marginheight=\"0\"]\u003C\u002Fcode>; removed by default;\u003C\u002Fli>\n\u003Cli>\u003Cstrong>marginwidth\u003C\u002Fstrong> – width of the margin: \u003Ccode>[iframe marginwidth=\"0\"]\u003C\u002Fcode>; removed by default;\u003C\u002Fli>\n\u003Cli>\u003Cstrong>allowtransparency\u003C\u002Fstrong> – allows to set transparency of the iframe: \u003Ccode>[iframe allowtransparency=\"true\"]\u003C\u002Fcode>; removed by default;\u003C\u002Fli>\n\u003Cli>\u003Cstrong>id\u003C\u002Fstrong> – allows to add the id of the iframe: \u003Ccode>[iframe id=\"custom_id\"]\u003C\u002Fcode>; removed by default;\u003C\u002Fli>\n\u003Cli>\u003Cstrong>class\u003C\u002Fstrong> – allows to add the class of the iframe: \u003Ccode>[iframe class=\"custom_class\"]\u003C\u002Fcode>; by default class=”iframe-class”;\u003C\u002Fli>\n\u003Cli>\u003Cstrong>style\u003C\u002Fstrong> – allows to add the css styles of the iframe: \u003Ccode>[iframe style=\"margin-left:-30px;\"]\u003C\u002Fcode>; removed by default;\u003C\u002Fli>\n\u003Cli>\u003Cstrong>same_height_as\u003C\u002Fstrong> – allows to set the height of iframe same as target element: \u003Ccode>[iframe same_height_as=\"div.sidebar\"]\u003C\u002Fcode>, \u003Ccode>[iframe same_height_as=\"div#content\"]\u003C\u002Fcode>, \u003Ccode>[iframe same_height_as=\"body\"]\u003C\u002Fcode>, \u003Ccode>[iframe same_height_as=\"html\"]\u003C\u002Fcode>; removed by default;\u003C\u002Fli>\n\u003Cli>\u003Cstrong>any_other_param\u003C\u002Fstrong> – allows to add new parameter of the iframe \u003Ccode>[iframe any_other_param=\"any_value\"]\u003C\u002Fcode>;\u003C\u002Fli>\n\u003Cli>\u003Cstrong>any_other_empty_param\u003C\u002Fstrong> – allows to add new empty parameter of the iframe (like “allowfullscreen” on youtube) \u003Ccode>[iframe any_other_empty_param=\"\"]\u003C\u002Fcode>;\u003C\u002Fli>\n\u003C\u002Ful>\n","[iframe src=\"http:\u002F\u002Fwww.youtube.com\u002Fembed\u002F7_nAZQt9qu0\" width=\"100%\" height=\"500\"] shortcode",70000,1902698,88,56,"2025-12-18T21:54:00.000Z","3.0",[20,242,21,243,244],"google-maps","vimeo","youtube","http:\u002F\u002Fwordpress.org\u002Fplugins\u002Fiframe\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fiframe.6.0.zip",97,6,{"slug":250,"name":251,"version":252,"author":253,"author_profile":254,"description":255,"short_description":256,"active_installs":11,"downloaded":257,"rating":258,"num_ratings":259,"last_updated":260,"tested_up_to":16,"requires_at_least":261,"requires_php":217,"tags":262,"homepage":265,"download_link":266,"security_score":267,"vuln_count":268,"unpatched_count":196,"last_vuln_date":269,"fetched_at":31},"insert-pages","Insert Pages","3.11.2","Paul Ryan","https:\u002F\u002Fprofiles.wordpress.org\u002Ffigureone\u002F","\u003Cp>Insert Pages lets you embed any WordPress content (e.g., pages, posts, custom post types) into other WordPress content using the Shortcode API. It also includes a widget for inserting pages into any widget area.\u003C\u002Fp>\n\u003Cp>The real power of Insert Pages comes when you start creating custom post types, either \u003Ca href=\"https:\u002F\u002Fcodex.wordpress.org\u002FPost_Types\" rel=\"nofollow ugc\">programmatically in your theme\u003C\u002Fa>, or using another plugin like \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcustom-post-type-ui\u002F\" rel=\"ugc\">Custom Post Type UI\u003C\u002Fa>. You can then abstract away common data types (like videos, quizzes, due dates) into their own custom post types, and then show those pieces of content within your normal pages and posts by Inserting them as a shortcode.\u003C\u002Fp>\n\u003Ch3>Advanced Tutorial\u003C\u002Fh3>\n\u003Cp>Contributor Wes Modes has graciously written an updated tutorial for the Gutenberg era, focused on creating a custom post type with custom fields and a custom template for rendering content. Read it here: \u003Ca href=\"https:\u002F\u002Fmedium.com\u002F@wesmodes\u002Fusing-wordpress-insert-pages-plugin-with-your-custom-post-types-and-custom-templates-535c141f9635\" rel=\"nofollow ugc\">https:\u002F\u002Fmedium.com\u002F@wesmodes\u002Fusing-wordpress-insert-pages-plugin-with-your-custom-post-types-and-custom-templates-535c141f9635\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Example: Normal Use Case\u003C\u002Fh3>\n\u003Cp>Say you teach a course and you’re constantly referring to an assignment due date in your course website. The next semester the due date changes, and you have to go change all of the locations you referred to it. Instead, you’d rather just change the date once! With Insert Pages, you can do the following:\u003C\u002Fp>\n\u003Col>\n\u003Cli>Create a custom post type called \u003Cstrong>Due Date\u003C\u002Fstrong>.\u003C\u002Fli>\n\u003Cli>Create a new \u003Cem>Due Date\u003C\u002Fem> called \u003Cstrong>Assignment 1 Due Date\u003C\u002Fstrong> with \u003Cstrong>Fri Nov 22, 2013\u003C\u002Fstrong> as its content.\u003C\u002Fli>\n\u003Cli>Edit all the pages where the due date occurs and use the \u003Cem>Insert Pages\u003C\u002Fem> toolbar button to insert a reference to the \u003Cem>Due Date\u003C\u002Fem> you just created. Be sure to set the \u003Cem>Display\u003C\u002Fem> to \u003Cstrong>Content\u003C\u002Fstrong> so \u003Cem>Fri Nov 22, 2013\u003C\u002Fem> shows wherever you insert it. The shortcode you just created should look something like this: \u003Ccode>[insert page='assignment-1-due-date' display='content']\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>That’s it! Now, when you want to change the due date, just edit the \u003Cem>Assignment 1 Due Date\u003C\u002Fem> custom post you created, and it will automatically be updated on all the pages you inserted it on.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>Example: Advanced Use Case\u003C\u002Fh3>\n\u003Cp>Say your site has a lot of video content, and you want to include video transcripts and video lengths along with the videos wherever you show them. You could just paste the transcripts into the page content under the video, but then you’d have to do this on every page the video showed on. (It’s also just a bad idea, architecturally!) With Insert Pages, you can use a custom post type and create a custom theme template to display your videos+transcripts+lengths just the way you want!\u003C\u002Fp>\n\u003Col>\n\u003Cli>Create a custom post type called \u003Cstrong>Video\u003C\u002Fstrong>.\u003C\u002Fli>\n\u003Cli>Use a plugin like \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fadvanced-custom-fields\u002F\" rel=\"ugc\">Advanced Custom Fields\u003C\u002Fa> to add extra fields to your new \u003Cem>Video\u003C\u002Fem> custom post type. Add a \u003Cstrong>Video URL\u003C\u002Fstrong> field, a \u003Cstrong>Transcript\u003C\u002Fstrong> field, and a \u003Cstrong>Video Length\u003C\u002Fstrong> field.\u003C\u002Fli>\n\u003Cli>Create a new \u003Cem>Video\u003C\u002Fem> called \u003Cstrong>My Awesome Video\u003C\u002Fstrong> with the following values in its fields:\n\u003Cul>\n\u003Cli>\u003Cem>Video URL\u003C\u002Fem>: \u003Cstrong>http:\u002F\u002Fwww.youtube.com\u002Fwatch?v=oHg5SJYRHA0\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cem>Transcript\u003C\u002Fem>: \u003Cstrong>We’re no strangers to love, You know the rules and so do I…\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cem>Video Length\u003C\u002Fem>: \u003Cstrong>3:34\u003C\u002Fstrong>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Create a template in your theme so we can display the video content as we want. I won’t cover this step here since it’s pretty involved, but you can find more help in the \u003Ca href=\"https:\u002F\u002Fcodex.wordpress.org\u002FTheme_Development#Custom_Page_Templates\" rel=\"nofollow ugc\">WordPress Codex\u003C\u002Fa>. Let’s assume you created a template called \u003Cstrong>Video with transcript\u003C\u002Fstrong> (video-with-transcript.php) that shows the youtube video in a \u003Ca href=\"http:\u002F\u002Ffancybox.net\u002F\" rel=\"nofollow ugc\">fancybox\u003C\u002Fa>, and includes a button that shows the text transcript when a user clicks on it.\u003C\u002Fli>\n\u003Cli>Edit the pages where you want the video to show up and use the \u003Cem>Insert Pages\u003C\u002Fem> toolbar button to insert a reference to the \u003Cem>Video\u003C\u002Fem> you just created. Be sure to set the \u003Cem>Display\u003C\u002Fem> to \u003Cstrong>Use a custom template\u003C\u002Fstrong>, and select your new template \u003Cstrong>Video with transcript\u003C\u002Fstrong>. The shortcode you just created should look something like this: \u003Ccode>[insert page='my-awesome-video' display='video-with-transcript.php']\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>That’s it! Now you can create all sorts of video content and know that it’s being tracked cleanly in the database as its own custom post type, and you can place videos all over your site and not worry about lots of duplicate content.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>The possibilities are endless!\u003C\u002Fp>\n","Insert Pages lets you embed any WordPress content (e.g., pages, posts, custom post types) into other WordPress content using the Shortcode API.",1008854,96,71,"2026-01-20T23:38:00.000Z","3.3.0",[20,263,264,24],"insert","pages","https:\u002F\u002Fgithub.com\u002Fuhm-coe\u002Finsert-pages","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Finsert-pages.3.11.2.zip",99,4,"2022-12-21 00:00:00",{"slug":271,"name":272,"version":273,"author":274,"author_profile":275,"description":276,"short_description":277,"active_installs":278,"downloaded":279,"rating":280,"num_ratings":281,"last_updated":282,"tested_up_to":16,"requires_at_least":283,"requires_php":284,"tags":285,"homepage":217,"download_link":291,"security_score":227,"vuln_count":29,"unpatched_count":196,"last_vuln_date":292,"fetched_at":31},"embed-privacy","Embed Privacy","1.12.3","epiphyt","https:\u002F\u002Fprofiles.wordpress.org\u002Fepiphyt\u002F","\u003Cp>Content embedded from external sites such as YouTube or Twitter is loaded immediately when visitors access your site. Embed Privacy addresses this issue and prevents the loading of these contents until the visitor decides to allow loading of external content.\u003Cbr \u002F>\nBut Embed Privacy not only protects your visitor’s privacy but also makes your site load faster.\u003C\u002Fp>\n\u003Cp>All embeds will be replaced by placeholders, ready for you to apply style as you wish. With only a couple of lines of CSS.\u003C\u002Fp>\n\u003Cp>By clicking on the placeholder the respective content will then be loaded.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Note: This plugins requires the PHP extension \u003Ca href=\"https:\u002F\u002Fwww.php.net\u002Fmanual\u002Fen\u002Fbook.dom.php\" rel=\"nofollow ugc\">“Document Object Model” (php-dom)\u003C\u002Fa>.\u003C\u002Fstrong>\u003C\u002Fp>\n","Embed Privacy prevents the loading of embedded external content and allows your site visitors to opt-in.",10000,531266,98,26,"2026-01-20T16:55:00.000Z","5.9","5.6",[286,287,288,289,290],"gutenberg","iframes","oembed","performance","privacy","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fembed-privacy.1.12.3.zip","2023-11-18 00:00:00",{"attackSurface":294,"codeSignals":461,"taintFlows":939,"riskAssessment":1081,"analyzedAt":1095},{"hooks":295,"ajaxHandlers":432,"restRoutes":446,"shortcodes":447,"cronEvents":458,"entryPointCount":128,"unprotectedCount":196},[296,302,307,311,315,320,324,328,332,336,340,345,349,353,357,361,365,369,374,378,382,386,390,394,398,401,405,409,413,417,421,425,429],{"type":297,"name":298,"callback":299,"priority":300,"file":301,"line":194},"filter","connect_message_on_update","ai_fs_custom_connect_message_on_update",10,"advanced-iframe.php",{"type":303,"name":304,"callback":305,"file":301,"line":306},"action","after_uninstall","ai_fs_uninstall_cleanup",91,{"type":297,"name":308,"callback":309,"file":301,"line":310},"is_pricing_page_visible","__return_true",92,{"type":297,"name":312,"callback":313,"file":301,"line":314},"default_currency","closure",93,{"type":303,"name":316,"callback":317,"priority":318,"file":301,"line":319},"media_buttons","addAiButton",11,1718,{"type":303,"name":321,"callback":322,"priority":318,"file":301,"line":323},"admin_menu","advancediFrame_ap",1721,{"type":303,"name":325,"callback":326,"priority":29,"file":301,"line":327},"init","initAi",1722,{"type":303,"name":329,"callback":330,"priority":267,"file":301,"line":331},"admin_enqueue_scripts","addAdminHeaderCode",1723,{"type":303,"name":333,"callback":334,"priority":280,"file":301,"line":335},"wp_enqueue_scripts","addWpHeaderCode",1724,{"type":303,"name":337,"callback":338,"priority":116,"file":301,"line":339},"wp_footer","add_script_footer",1725,{"type":303,"name":341,"callback":342,"priority":343,"file":301,"line":344},"admin_notices","aiShowValidationErrors",3,1726,{"type":303,"name":346,"callback":347,"file":301,"line":348},"ai_check_iframes_event","aiCheckIframes",1728,{"type":303,"name":350,"callback":351,"file":301,"line":352},"wp","ai_show_id_only",1729,{"type":303,"name":354,"callback":355,"file":301,"line":356},"send_headers","aiAddHeader",1730,{"type":303,"name":358,"callback":359,"priority":29,"file":301,"line":360},"plugins_loaded","aiCheckRedirect",1731,{"type":303,"name":362,"callback":363,"priority":29,"file":301,"line":364},"parse_request","aiParseRequest",1732,{"type":303,"name":366,"callback":367,"priority":29,"file":301,"line":368},"template_redirect","aiTemplateRedirect",1733,{"type":303,"name":370,"callback":371,"priority":372,"file":301,"line":373},"wp_head","aiWpHead",9999,1734,{"type":303,"name":375,"callback":376,"priority":29,"file":301,"line":377},"switch_theme","aiDelecteAiContentPages",1735,{"type":303,"name":379,"callback":380,"priority":267,"file":301,"line":381},"upgrader_process_complete","aiUpdate",1744,{"type":297,"name":383,"callback":384,"priority":29,"file":301,"line":385},"content_edit_pre","aiCheckContent",1746,{"type":297,"name":387,"callback":388,"priority":29,"file":301,"line":389},"the_content","aiReplaceIframes",1747,{"type":297,"name":391,"callback":392,"priority":29,"file":301,"line":393},"ai_handle_temp_pages","aiHandleTempPages",1748,{"type":297,"name":395,"callback":396,"file":301,"line":397},"widget_text","shortcode_unautop",1749,{"type":297,"name":395,"callback":399,"file":301,"line":400},"do_shortcode",1750,{"type":297,"name":402,"callback":403,"priority":300,"file":301,"line":404},"plugin_action_links","ai_plugin_action_links",1751,{"type":297,"name":406,"callback":407,"priority":300,"file":301,"line":408},"preview_post_link","ai_preview_post_link",1752,{"type":297,"name":410,"callback":411,"priority":318,"file":301,"line":412},"content_save_pre","ai_save_post",1755,{"type":303,"name":414,"callback":415,"file":301,"line":416},"widgets_init","advanced_iframe_widget_init",1789,{"type":297,"name":418,"callback":419,"file":301,"line":420},"site_transient_update_plugins","ai_remove_update",1791,{"type":297,"name":422,"callback":423,"priority":300,"file":301,"line":424},"auto_update_plugin","ai_remove_auto_update",1792,{"type":297,"name":426,"callback":427,"priority":300,"file":301,"line":428},"plugin_row_meta","advanced_iframe_plugin_meta_pro",1916,{"type":297,"name":426,"callback":430,"priority":300,"file":301,"line":431},"advanced_iframe_plugin_meta_free",1918,[433,439,441,444],{"action":434,"nopriv":435,"callback":436,"hasNonce":437,"hasCapCheck":435,"file":301,"line":438},"aip_map_url_action",false,"aip_map_url_callback",true,1758,{"action":434,"nopriv":437,"callback":436,"hasNonce":437,"hasCapCheck":435,"file":301,"line":440},1759,{"action":442,"nopriv":435,"callback":442,"hasNonce":437,"hasCapCheck":435,"file":301,"line":443},"aip_close_message_permanent",1760,{"action":442,"nopriv":437,"callback":442,"hasNonce":437,"hasCapCheck":435,"file":301,"line":445},1761,[],[448,452,454],{"tag":449,"callback":450,"file":301,"line":451},"advanced_iframe","do_iframe_script",1738,{"tag":4,"callback":450,"file":301,"line":453},1739,{"tag":455,"callback":456,"file":301,"line":457},"ai_advanced_js_local","addAiExternalLocal",1740,[459],{"hook":346,"callback":346,"file":301,"line":460},125,{"dangerousFunctions":462,"sqlUsage":463,"outputEscaping":468,"fileOperations":577,"externalRequests":29,"nonceChecks":248,"capabilityChecks":29,"bundledLibraries":931},[],{"prepared":196,"raw":29,"locations":464},[465],{"file":301,"line":466,"context":467},1359,"$wpdb->query() with variable interpolation",{"escaped":469,"rawEcho":470,"locations":471},134,235,[472,476,478,480,482,484,486,488,490,492,494,496,498,500,502,504,506,508,510,512,514,516,518,520,522,524,526,528,530,532,534,536,538,540,542,544,546,548,550,552,554,556,559,561,563,566,568,570,571,573,575,578,579,581,582,584,586,588,590,592,595,598,600,602,603,605,607,609,611,613,614,616,618,620,622,623,625,627,629,630,631,633,635,637,639,641,643,645,647,649,651,653,655,657,659,661,663,665,667,669,671,673,675,677,679,681,683,685,687,689,691,693,695,697,699,701,703,705,707,709,711,713,715,717,719,721,723,725,727,729,731,732,734,736,738,740,742,744,746,748,750,752,754,756,758,760,762,764,766,768,770,772,774,776,778,780,782,784,786,788,790,792,794,796,798,800,802,804,806,808,810,812,814,816,818,820,822,824,826,828,830,832,834,836,838,840,842,844,846,848,850,852,854,856,858,860,862,863,865,867,869,871,873,875,877,879,881,883,884,886,888,890,891,892,894,895,897,899,900,902,903,905,907,909,911,913,915,917,919,920,921,923,924,926,928],{"file":473,"line":474,"context":475},"advanced-iframe-admin-page.php",58,"raw output",{"file":473,"line":477,"context":475},60,{"file":473,"line":479,"context":475},335,{"file":473,"line":481,"context":475},348,{"file":473,"line":483,"context":475},363,{"file":473,"line":485,"context":475},366,{"file":473,"line":487,"context":475},368,{"file":473,"line":489,"context":475},370,{"file":473,"line":491,"context":475},373,{"file":473,"line":493,"context":475},398,{"file":473,"line":495,"context":475},407,{"file":473,"line":497,"context":475},414,{"file":473,"line":499,"context":475},422,{"file":473,"line":501,"context":475},430,{"file":473,"line":503,"context":475},431,{"file":473,"line":505,"context":475},432,{"file":473,"line":507,"context":475},434,{"file":473,"line":509,"context":475},435,{"file":473,"line":511,"context":475},436,{"file":473,"line":513,"context":475},447,{"file":473,"line":515,"context":475},448,{"file":473,"line":517,"context":475},449,{"file":473,"line":519,"context":475},451,{"file":473,"line":521,"context":475},457,{"file":473,"line":523,"context":475},460,{"file":473,"line":525,"context":475},461,{"file":473,"line":527,"context":475},463,{"file":473,"line":529,"context":475},464,{"file":473,"line":531,"context":475},559,{"file":473,"line":533,"context":475},562,{"file":473,"line":535,"context":475},564,{"file":301,"line":537,"context":475},820,{"file":301,"line":539,"context":475},1182,{"file":301,"line":541,"context":475},1188,{"file":301,"line":543,"context":475},1194,{"file":301,"line":545,"context":475},1200,{"file":301,"line":547,"context":475},1218,{"file":301,"line":549,"context":475},1362,{"file":301,"line":551,"context":475},1372,{"file":301,"line":553,"context":475},1429,{"file":301,"line":555,"context":475},1447,{"file":557,"line":558,"context":475},"includes\\advanced-iframe-admin-add-files.php",40,{"file":557,"line":560,"context":475},44,{"file":557,"line":562,"context":475},47,{"file":564,"line":565,"context":475},"includes\\advanced-iframe-admin-default.php",17,{"file":564,"line":567,"context":475},34,{"file":564,"line":569,"context":475},46,{"file":564,"line":562,"context":475},{"file":564,"line":572,"context":475},50,{"file":564,"line":574,"context":475},53,{"file":576,"line":577,"context":475},"includes\\advanced-iframe-admin-external-workaround.php",28,{"file":576,"line":572,"context":475},{"file":576,"line":580,"context":475},95,{"file":576,"line":182,"context":475},{"file":576,"line":583,"context":475},211,{"file":576,"line":585,"context":475},305,{"file":576,"line":587,"context":475},334,{"file":576,"line":589,"context":475},338,{"file":576,"line":591,"context":475},341,{"file":593,"line":594,"context":475},"includes\\advanced-iframe-admin-find-id.php",14,{"file":596,"line":597,"context":475},"includes\\advanced-iframe-admin-functions.php",15,{"file":596,"line":599,"context":475},20,{"file":596,"line":601,"context":475},24,{"file":596,"line":281,"context":475},{"file":596,"line":604,"context":475},30,{"file":596,"line":606,"context":475},32,{"file":596,"line":608,"context":475},36,{"file":596,"line":610,"context":475},39,{"file":596,"line":612,"context":475},43,{"file":596,"line":569,"context":475},{"file":596,"line":615,"context":475},57,{"file":596,"line":617,"context":475},62,{"file":596,"line":619,"context":475},66,{"file":596,"line":621,"context":475},68,{"file":596,"line":27,"context":475},{"file":596,"line":624,"context":475},74,{"file":596,"line":626,"context":475},78,{"file":596,"line":628,"context":475},81,{"file":596,"line":207,"context":475},{"file":596,"line":237,"context":475},{"file":596,"line":632,"context":475},105,{"file":596,"line":634,"context":475},110,{"file":596,"line":636,"context":475},114,{"file":596,"line":638,"context":475},116,{"file":596,"line":640,"context":475},120,{"file":596,"line":642,"context":475},122,{"file":596,"line":644,"context":475},126,{"file":596,"line":646,"context":475},129,{"file":596,"line":648,"context":475},133,{"file":596,"line":650,"context":475},136,{"file":596,"line":652,"context":475},151,{"file":596,"line":654,"context":475},156,{"file":596,"line":656,"context":475},160,{"file":596,"line":658,"context":475},162,{"file":596,"line":660,"context":475},166,{"file":596,"line":662,"context":475},168,{"file":596,"line":664,"context":475},172,{"file":596,"line":666,"context":475},174,{"file":596,"line":668,"context":475},178,{"file":596,"line":670,"context":475},180,{"file":596,"line":672,"context":475},184,{"file":596,"line":674,"context":475},186,{"file":596,"line":676,"context":475},190,{"file":596,"line":678,"context":475},192,{"file":596,"line":680,"context":475},196,{"file":596,"line":682,"context":475},199,{"file":596,"line":684,"context":475},228,{"file":596,"line":686,"context":475},233,{"file":596,"line":688,"context":475},237,{"file":596,"line":690,"context":475},241,{"file":596,"line":692,"context":475},270,{"file":596,"line":694,"context":475},275,{"file":596,"line":696,"context":475},279,{"file":596,"line":698,"context":475},283,{"file":596,"line":700,"context":475},287,{"file":596,"line":702,"context":475},315,{"file":596,"line":704,"context":475},320,{"file":596,"line":706,"context":475},324,{"file":596,"line":708,"context":475},328,{"file":596,"line":710,"context":475},345,{"file":596,"line":712,"context":475},350,{"file":596,"line":714,"context":475},354,{"file":596,"line":716,"context":475},358,{"file":596,"line":718,"context":475},362,{"file":596,"line":720,"context":475},388,{"file":596,"line":722,"context":475},393,{"file":596,"line":724,"context":475},397,{"file":596,"line":726,"context":475},401,{"file":596,"line":728,"context":475},405,{"file":596,"line":730,"context":475},429,{"file":596,"line":507,"context":475},{"file":596,"line":733,"context":475},438,{"file":596,"line":735,"context":475},442,{"file":596,"line":737,"context":475},446,{"file":596,"line":739,"context":475},469,{"file":596,"line":741,"context":475},474,{"file":596,"line":743,"context":475},478,{"file":596,"line":745,"context":475},482,{"file":596,"line":747,"context":475},486,{"file":596,"line":749,"context":475},513,{"file":596,"line":751,"context":475},518,{"file":596,"line":753,"context":475},522,{"file":596,"line":755,"context":475},526,{"file":596,"line":757,"context":475},530,{"file":596,"line":759,"context":475},541,{"file":596,"line":761,"context":475},546,{"file":596,"line":763,"context":475},550,{"file":596,"line":765,"context":475},554,{"file":596,"line":767,"context":475},558,{"file":596,"line":769,"context":475},575,{"file":596,"line":771,"context":475},580,{"file":596,"line":773,"context":475},584,{"file":596,"line":775,"context":475},588,{"file":596,"line":777,"context":475},592,{"file":596,"line":779,"context":475},619,{"file":596,"line":781,"context":475},624,{"file":596,"line":783,"context":475},628,{"file":596,"line":785,"context":475},632,{"file":596,"line":787,"context":475},636,{"file":596,"line":789,"context":475},653,{"file":596,"line":791,"context":475},658,{"file":596,"line":793,"context":475},662,{"file":596,"line":795,"context":475},666,{"file":596,"line":797,"context":475},670,{"file":596,"line":799,"context":475},698,{"file":596,"line":801,"context":475},748,{"file":596,"line":803,"context":475},755,{"file":596,"line":805,"context":475},758,{"file":596,"line":807,"context":475},761,{"file":596,"line":809,"context":475},763,{"file":596,"line":811,"context":475},766,{"file":596,"line":813,"context":475},772,{"file":596,"line":815,"context":475},775,{"file":596,"line":817,"context":475},819,{"file":596,"line":819,"context":475},824,{"file":596,"line":821,"context":475},828,{"file":596,"line":823,"context":475},832,{"file":596,"line":825,"context":475},979,{"file":596,"line":827,"context":475},997,{"file":596,"line":829,"context":475},1041,{"file":596,"line":831,"context":475},1048,{"file":596,"line":833,"context":475},1052,{"file":596,"line":835,"context":475},1053,{"file":596,"line":837,"context":475},1054,{"file":596,"line":839,"context":475},1055,{"file":596,"line":841,"context":475},1062,{"file":596,"line":843,"context":475},1097,{"file":596,"line":845,"context":475},1101,{"file":596,"line":847,"context":475},1114,{"file":596,"line":849,"context":475},1131,{"file":596,"line":851,"context":475},1150,{"file":596,"line":853,"context":475},1155,{"file":596,"line":855,"context":475},1159,{"file":596,"line":857,"context":475},1163,{"file":596,"line":859,"context":475},1198,{"file":596,"line":861,"context":475},1209,{"file":596,"line":547,"context":475},{"file":596,"line":864,"context":475},1225,{"file":596,"line":866,"context":475},1236,{"file":596,"line":868,"context":475},1241,{"file":596,"line":870,"context":475},1253,{"file":596,"line":872,"context":475},1261,{"file":596,"line":874,"context":475},1263,{"file":596,"line":876,"context":475},1289,{"file":596,"line":878,"context":475},1753,{"file":596,"line":880,"context":475},1754,{"file":596,"line":882,"context":475},1757,{"file":596,"line":440,"context":475},{"file":596,"line":885,"context":475},1763,{"file":596,"line":887,"context":475},1765,{"file":889,"line":318,"context":475},"includes\\advanced-iframe-admin-modify-iframe.php",{"file":889,"line":597,"context":475},{"file":889,"line":617,"context":475},{"file":889,"line":893,"context":475},106,{"file":889,"line":634,"context":475},{"file":889,"line":896,"context":475},146,{"file":898,"line":259,"context":475},"includes\\advanced-iframe-admin-modify-parent.php",{"file":898,"line":165,"context":475},{"file":901,"line":207,"context":475},"includes\\advanced-iframe-admin-quickstart.php",{"file":901,"line":310,"context":475},{"file":901,"line":904,"context":475},205,{"file":901,"line":906,"context":475},207,{"file":901,"line":908,"context":475},234,{"file":901,"line":910,"context":475},247,{"file":901,"line":912,"context":475},250,{"file":901,"line":914,"context":475},266,{"file":901,"line":916,"context":475},269,{"file":901,"line":918,"context":475},272,{"file":901,"line":694,"context":475},{"file":901,"line":700,"context":475},{"file":901,"line":922,"context":475},314,{"file":901,"line":481,"context":475},{"file":925,"line":491,"context":475},"includes\\advanced-iframe-main-helper.php",{"file":927,"line":13,"context":475},"includes\\advanced-iframe-main-iframe.php",{"file":929,"line":930,"context":475},"includes\\advanced-iframe-main-prepare.php",357,[932,935],{"name":933,"version":38,"knownCves":934},"jQuery",[],{"name":936,"version":937,"knownCves":938},"Freemius","1.0",[],[940,956,968,993,1005,1018,1027,1058,1068],{"entryPoint":941,"graph":942,"unsanitizedCount":29,"severity":40},"aiCheckRedirect (advanced-iframe.php:462)",{"nodes":943,"edges":954},[944,948],{"id":945,"type":946,"label":947,"file":301,"line":529},"n0","source","$_GET",{"id":949,"type":950,"label":951,"file":301,"line":952,"wp_function":953},"n1","sink","wp_redirect() [Open Redirect]",472,"wp_redirect",[955],{"from":945,"to":949,"sanitized":435},{"entryPoint":957,"graph":958,"unsanitizedCount":29,"severity":40},"add_script_footer (advanced-iframe.php:812)",{"nodes":959,"edges":966},[960,962],{"id":945,"type":946,"label":947,"file":301,"line":961},825,{"id":949,"type":950,"label":963,"file":301,"line":964,"wp_function":965},"echo() [XSS]",827,"echo",[967],{"from":945,"to":949,"sanitized":435},{"entryPoint":969,"graph":970,"unsanitizedCount":116,"severity":40},"\u003Cadvanced-iframe-admin-functions> (includes\\advanced-iframe-admin-functions.php:0)",{"nodes":971,"edges":989},[972,975,979,983,987],{"id":945,"type":946,"label":973,"file":596,"line":974},"$_POST",1343,{"id":949,"type":950,"label":976,"file":596,"line":977,"wp_function":978},"fopen() [File Access]",1379,"fopen",{"id":980,"type":946,"label":981,"file":596,"line":982},"n2","$_POST (x2)",1381,{"id":984,"type":985,"label":986,"file":596,"line":982},"n3","transform","→ printMessage()",{"id":988,"type":950,"label":963,"file":596,"line":876,"wp_function":965},"n4",[990,991,992],{"from":945,"to":949,"sanitized":437},{"from":980,"to":984,"sanitized":435},{"from":984,"to":988,"sanitized":435},{"entryPoint":994,"graph":995,"unsanitizedCount":29,"severity":40},"\u003Ciframe> (includes\\iframe.php:0)",{"nodes":996,"edges":1003},[997,999],{"id":945,"type":946,"label":947,"file":998,"line":560},"includes\\iframe.php",{"id":949,"type":950,"label":1000,"file":998,"line":1001,"wp_function":1002},"header() [Header Injection]",48,"header",[1004],{"from":945,"to":949,"sanitized":435},{"entryPoint":1006,"graph":1007,"unsanitizedCount":196,"severity":1017},"\u003Cadvanced-iframe-admin-page> (advanced-iframe-admin-page.php:0)",{"nodes":1008,"edges":1014},[1009,1011,1012,1013],{"id":945,"type":946,"label":1010,"file":473,"line":626},"$_GET (x2)",{"id":949,"type":950,"label":963,"file":473,"line":481,"wp_function":965},{"id":980,"type":946,"label":973,"file":473,"line":562},{"id":984,"type":950,"label":963,"file":473,"line":535,"wp_function":965},[1015,1016],{"from":945,"to":949,"sanitized":437},{"from":980,"to":984,"sanitized":437},"low",{"entryPoint":1019,"graph":1020,"unsanitizedCount":196,"severity":1017},"aip_map_url_callback (advanced-iframe.php:1401)",{"nodes":1021,"edges":1025},[1022,1024],{"id":945,"type":946,"label":973,"file":301,"line":1023},1414,{"id":949,"type":950,"label":963,"file":301,"line":555,"wp_function":965},[1026],{"from":945,"to":949,"sanitized":437},{"entryPoint":1028,"graph":1029,"unsanitizedCount":196,"severity":1017},"\u003Cadvanced-iframe> (advanced-iframe.php:0)",{"nodes":1030,"edges":1052},[1031,1032,1033,1034,1035,1036,1041,1044,1048,1050],{"id":945,"type":946,"label":947,"file":301,"line":529},{"id":949,"type":950,"label":951,"file":301,"line":952,"wp_function":953},{"id":980,"type":946,"label":1010,"file":301,"line":961},{"id":984,"type":950,"label":963,"file":301,"line":964,"wp_function":965},{"id":988,"type":946,"label":1010,"file":301,"line":529},{"id":1037,"type":950,"label":1038,"file":301,"line":1039,"wp_function":1040},"n5","file_get_contents() [SSRF\u002FLFI]",955,"file_get_contents",{"id":1042,"type":946,"label":1043,"file":301,"line":466},"n6","$_GET['ai-show-id-only']",{"id":1045,"type":950,"label":1046,"file":301,"line":466,"wp_function":1047},"n7","query() [SQLi]","query",{"id":1049,"type":946,"label":973,"file":301,"line":1023},"n8",{"id":1051,"type":950,"label":963,"file":301,"line":555,"wp_function":965},"n9",[1053,1054,1055,1056,1057],{"from":945,"to":949,"sanitized":437},{"from":980,"to":984,"sanitized":437},{"from":988,"to":1037,"sanitized":437},{"from":1042,"to":1045,"sanitized":437},{"from":1049,"to":1051,"sanitized":437},{"entryPoint":1059,"graph":1060,"unsanitizedCount":29,"severity":1017},"\u003Cadvanced-iframe-main-prepare> (includes\\advanced-iframe-main-prepare.php:0)",{"nodes":1061,"edges":1066},[1062,1065],{"id":945,"type":946,"label":1063,"file":929,"line":1064},"$_SERVER",200,{"id":949,"type":950,"label":963,"file":929,"line":930,"wp_function":965},[1067],{"from":945,"to":949,"sanitized":435},{"entryPoint":1069,"graph":1070,"unsanitizedCount":116,"severity":1080},"ai_show_id_only (advanced-iframe.php:1328)",{"nodes":1071,"edges":1077},[1072,1073,1074,1076],{"id":945,"type":946,"label":1043,"file":301,"line":466},{"id":949,"type":950,"label":1046,"file":301,"line":466,"wp_function":1047},{"id":980,"type":946,"label":947,"file":301,"line":1075},1369,{"id":984,"type":950,"label":963,"file":301,"line":551,"wp_function":965},[1078,1079],{"from":945,"to":949,"sanitized":435},{"from":980,"to":984,"sanitized":435},"high",{"summary":1082,"deductions":1083},"The advanced-iframe plugin v2026.0 exhibits a mixed security posture. While it boasts a relatively small attack surface with no immediately apparent unprotected entry points in the static analysis, and a decent number of nonce and capability checks, several concerning signals emerge from the code analysis and vulnerability history.  The fact that 100% of its single SQL query does not use prepared statements is a significant risk, potentially opening the door to SQL injection vulnerabilities. Furthermore, a concerning 64% of its output escaping is not properly handled, indicating a high potential for Cross-Site Scripting (XSS) vulnerabilities. The taint analysis also reveals a high severity flow with unsanitized paths, which requires immediate attention.  The plugin's history of 12 known CVEs, even though none are currently marked as critical or high, and the presence of one unpatched medium vulnerability, suggests a recurring pattern of security weaknesses, primarily related to improper input validation and XSS. This history, coupled with the current code signals, indicates that while the plugin attempts some security measures, there are fundamental flaws in how it handles user-supplied data and generates output, which could be exploited.\n\nIn conclusion, while the plugin has strengths like a controlled attack surface and some security checks, the significant number of historical vulnerabilities, the lack of prepared statements for SQL queries, the substantial amount of unescaped output, and the high-severity taint flow present a considerable risk. Users should exercise caution and prioritize patching any known vulnerabilities, alongside careful review of the plugin's code for the identified issues.",[1084,1086,1088,1090,1093],{"reason":1085,"points":597},"Unpatched CVE",{"reason":1087,"points":300},"Raw SQL without prepare",{"reason":1089,"points":28},"High severity taint flow",{"reason":1091,"points":1092},"High percentage of unescaped output",8,{"reason":1094,"points":343},"Bundled outdated library Freemius v1.0","2026-03-16T17:19:37.814Z",{"wat":1097,"direct":1111},{"assetPaths":1098,"generatorPatterns":1104,"scriptPaths":1105,"versionParams":1106},[1099,1100,1101,1102,1103],"\u002Fwp-content\u002Fplugins\u002Fadvanced-iframe\u002Faip-admin.css","\u002Fwp-content\u002Fplugins\u002Fadvanced-iframe\u002Faip-admin.js","\u002Fwp-content\u002Fplugins\u002Fadvanced-iframe\u002Fadvanced-iframe.js","\u002Fwp-content\u002Fplugins\u002Fadvanced-iframe\u002Fadvanced-iframe.css","\u002Fwp-content\u002Fplugins\u002Fadvanced-iframe\u002Fimg\u002Fadvanced-iframe.png",[],[1100,1101],[1107,1108,1109,1110],"\u002Fwp-content\u002Fplugins\u002Fadvanced-iframe\u002Faip-admin.css?ver=","\u002Fwp-content\u002Fplugins\u002Fadvanced-iframe\u002Faip-admin.js?ver=","\u002Fwp-content\u002Fplugins\u002Fadvanced-iframe\u002Fadvanced-iframe.js?ver=","\u002Fwp-content\u002Fplugins\u002Fadvanced-iframe\u002Fadvanced-iframe.css?ver=",{"cssClasses":1112,"htmlComments":1115,"htmlAttributes":1120,"restEndpoints":1123,"jsGlobals":1124,"shortcodeOutput":1126},[449,1113,1114],"aip-admin-input","aip-admin-label",[1116,1117,1118,1119],"\u003C!-- Shortcode advanced_iframe -->","\u003C!-- Shortcode advanced_iframe end -->","\u003C!-- START Advanced iFrame Plugin -->","\u003C!-- END Advanced iFrame Plugin -->",[1121,1122],"data-advanced-iframe-wrapper","data-advanced-iframe-id",[],[1125],"advanced_iframe_options",[1127],"[advanced_iframe"]