CVE-2024-10151: 
WordPress vulnerability analysis and mitigation

The Auto iFrame WordPress plugin before version 2.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The issue was discovered on December 18, 2024, and affects users with contributor role and above. The vulnerability exists because the plugin fails to properly validate and escape certain shortcode attributes before outputting them back in pages or posts where the shortcode is embedded (WPScan, NVD).

The vulnerability stems from improper validation and escaping of shortcode attributes in the Auto iFrame plugin. When the shortcode is embedded in a page or post, certain attributes are output without proper sanitization. The CVSS v3.1 score is 5.4 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified under OWASP Top 10 category A7: Cross-Site Scripting (XSS) and CWE-79 (WPScan).

This vulnerability allows authenticated users with contributor privileges or higher to perform Stored Cross-Site Scripting attacks. When successfully exploited, it could enable attackers to inject malicious scripts that execute in visitors' browsers when viewing affected pages (WPScan).

The vulnerability has been fixed in version 2.0 of the Auto iFrame plugin. Users are advised to update to this version or later to protect against this security issue (WPScan).