CVE-2025-49411

The iFrame Block plugin for WordPress versions 0.1.1 and below contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This allows an authenticated attacker with sufficient privileges to inject arbitrary scripts that are stored and executed when other users access the affected page [1].

Exploitation requires a privileged user role, such as an editor or administrator, to insert a malicious payload while creating or editing a post. The attack does not require direct user interaction from victims; the injected script executes automatically when any visitor loads the compromised page. The vulnerability is classified as Stored XSS, meaning the payload persists in the database [1].

Successful exploitation allows an attacker to perform various malicious actions, including redirecting visitors to malicious sites, injecting advertisements, or stealing sensitive data such as session cookies. The CVSS v3 base score is 7.1 (High), reflecting the potential impact on confidentiality and integrity [1].

Users are advised to update the plugin to a patched version immediately if available. The vendor has not yet released a fix for this version; therefore, as a workaround, administrators should restrict plugin usage to trusted users or temporarily disable the plugin until a patch is applied. This vulnerability is known to be used in mass-exploit campaigns [1].