CVE-2023-4919: 
WordPress vulnerability analysis and mitigation

The iframe plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2023-4919) in versions up to and including 4.6. The vulnerability was discovered by István Márton from Wordfence and was publicly disclosed on September 25, 2023. The issue affects the iframe shortcode functionality due to insufficient input sanitization and output escaping (NVD CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) by Wordfence and 5.4 (Medium) by NVD. The vulnerability exists due to improper sanitization of input and insufficient output escaping in the iframe shortcode implementation. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD CVE).

This vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized actions, data theft, or session hijacking (NVD CVE).

Users are advised to update to version 4.7 or later of the iframe plugin, which contains the complete fix for this vulnerability. The vulnerability was partially addressed in version 4.6, but the complete fix is available in version 4.7 (NVD CVE).