Headline
CVE-2023-4919: iframe.php in iframe/tags/4.5 – WordPress Plugin Repository
The iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the iframe shortcode in versions up to, and including, 4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permission and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This was partially patched in version 4.6 and fully patched in version 4.7.
1<?php2/*3Plugin Name: iframe4Plugin URI: http://wordpress.org/plugins/iframe/5Description: [iframe src="http://www.youtube.com/embed/oDlbBy9vfgI" width="100%" height="500"] shortcode6Version: 4.57Author: webvitaly8Author URI: http://web-profile.net/wordpress/plugins/9License: GPLv310*/1112if ( ! defined( ‘ABSPATH’ ) ) { // Avoid direct calls to this file and prevent full path disclosure13 exit;14}1516define('IFRAME_PLUGIN_VERSION’, ‘4.5’);1718function iframe_plugin_add_shortcode_cb( $atts ) {19 $defaults = array(20 ‘src’ => 'http://www.youtube.com/embed/oDlbBy9vfgI’,21 ‘width’ => '100%’,22 ‘height’ => '500’,23 ‘scrolling’ => 'yes’,24 ‘class’ => 'iframe-class’,25 ‘frameborder’ => ‘0’26 );2728 foreach ( $defaults as $default => $value ) { // add defaults29 if ( ! @array_key_exists( $default, $atts ) ) { // mute warning with “@” when no params at all30 $atts[$default] = $value;31 }32 }3334 $html = "\n".’<!-- iframe plugin v.’.IFRAME_PLUGIN_VERSION.’ wordpress.org/plugins/iframe/ -->’."\n";35 $html .= '<iframe’;36 foreach( $atts as $attr => $value ) {37 if ( strtolower($attr) == ‘src’ ) { // sanitize url38 $value = esc_url( $value );39 }40 if ( strtolower($attr) != ‘same_height_as’ AND strtolower($attr) != 'onload’41 AND strtolower($attr) != ‘onpageshow’ AND strtolower($attr) != ‘onclick’) { // remove some attributes42 if ( $value != ‘’ ) { // adding all attributes43 $html .= ' ' . esc_attr( $attr ) . ‘="’ . esc_attr( $value ) . '"’;44 } else { // adding empty attributes45 $html .= ' ' . esc_attr( $attr );46 }47 }48 }49 $html .= '></iframe>’."\n";5051 if ( isset( $atts[“same_height_as”] ) ) {52 $html .= ‘53 <script>54 document.addEventListener("DOMContentLoaded", function(){55 var target_element, iframe_element;56 iframe_element = document.querySelector("iframe.’ . esc_attr( $atts[“class”] ) . ‘");57 target_element = document.querySelector("’ . esc_attr( $atts[“same_height_as”] ) . ‘");58 iframe_element.style.height = target_element.offsetHeight + “px";59 });60 </script>61 ';62 }6364 return $html;65}66add_shortcode( 'iframe’, ‘iframe_plugin_add_shortcode_cb’ );676869function iframe_plugin_row_meta_cb( $links, $file ) {70 if ( $file == plugin_basename( __FILE__ ) ) {71 $row_meta = array(72 ‘support’ => '<a href="http://web-profile.net/wordpress/plugins/iframe/” target="_blank">’ . __( 'Iframe’, ‘iframe’ ) . '</a>’,73 ‘donate’ => ‘<a href="http://web-profile.net/donate/" target="_blank">’ . __( 'Donate’, ‘iframe’ ) . '</a>’,74 ‘pro’ => ‘<a href="https://1.envato.market/Ym5aq" target="_blank">’ . __( 'Advanced iFrame Pro’, ‘iframe’ ) . '</a>’75 );76 $links = array_merge( $links, $row_meta );77 }78 return (array) $links;79}80add_filter( 'plugin_row_meta’, 'iframe_plugin_row_meta_cb’, 10, 2 );