IFrame Widget Security & Risk Analysis
wordpress.org/plugins/iframe-widgetIFrame widget can display any external HTML page inside an HTML IFrame component.
Is IFrame Widget Safe to Use in 2026?
Use With Caution
Score 63/100IFrame Widget has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.
The "iframe-widget" plugin v4.1 presents a mixed security posture. On the positive side, the plugin demonstrates good practices by not having a large attack surface with no exposed AJAX handlers, REST API routes, shortcodes, or cron events without proper authorization checks. Furthermore, all SQL queries are secured using prepared statements and there are no file operations or external HTTP requests to consider, which minimizes common attack vectors. However, the presence of a dangerous function ('create_function') is a significant concern. This function is deprecated due to security vulnerabilities and can easily lead to code injection if not handled with extreme care, which the code analysis signals do not suggest is the case.
The vulnerability history for this plugin is troubling. A known medium severity CVE exists, and it is currently unpatched. This indicates a past instance of Cross-site Scripting (XSS), which is a direct result of improper neutralization of input. The fact that this vulnerability is not patched suggests a lack of ongoing maintenance and a potential for attackers to exploit this known weakness. The limited taint analysis is not necessarily a positive sign; it could simply mean the analysis tools didn't find exploitable flows, but it doesn't negate the risks from the identified dangerous function and unpatched CVE.
In conclusion, while the plugin has a small attack surface and uses prepared statements for SQL, the use of 'create_function' and the unpatched medium severity CVE related to XSS are serious security concerns. The lack of patches for known vulnerabilities points to a plugin that may be abandoned or poorly maintained, making it a risky choice for WordPress sites.
Key Concerns
- Unpatched CVE exists
- Dangerous function 'create_function' used
- Output escaping at 33% - many outputs unescaped
- No nonce checks on entry points
- No capability checks on entry points
IFrame Widget Security Vulnerabilities
CVEs by Year
Severity Breakdown
1 total CVE
IFrame Widget <= 4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
IFrame Widget Code Analysis
Dangerous Functions Found
Output Escaping
IFrame Widget Attack Surface
WordPress Hooks 5
Maintenance & Trust
IFrame Widget Maintenance & Trust
Maintenance Signals
Community Trust
IFrame Widget Alternatives
Code Widget
code-widget
Code widget help to add Short Code, PHP Code, HTML, and Simple Text in widget.
Unfiltered MU
unfiltered-mu
This WordPress MU/WordPress 3.0 multisite plugin gives blog Administrators and Editors the ability to post whatever HTML they want.
Local Time Clock
local-time-clock
Display a clock on your sidebar set automatically to your location's timezone. Select from a choice of clocks, colors and sizes.
PageView
pageview
Insert an iframe and display an external website directly in a post using just a shortcode.
Widget Classes
widget-classes
Widget Classes allows you to add classes to your individual widgets to be used by your theme. This is done by appending an additional form field to th …
IFrame Widget Developer Profile
3 plugins · 710 total installs
How We Detect IFrame Widget
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/iframe-widget/iframe-widget.phpHTML / DOM Fingerprints
IFrame_Widgetdata-iframewidget-urldata-iframewidget-widthdata-iframewidget-heightdata-iframewidget-borderdata-iframewidget-scrollingdata-iframewidget-style<IFRAME[Your user agent does not support frames or is currently configured not to display frames. However, you may visit <A href=