CVE-2025-8089: 
WordPress vulnerability analysis and mitigation

The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting (CVE-2025-8089) via the 'additional' parameter in version 2025.6 and earlier. This vulnerability was discovered and disclosed on August 15, 2025 (NVD).

The vulnerability exists due to insufficient input sanitization and output escaping in the Advanced iFrame WordPress plugin. The issue specifically affects the 'additional' parameter and allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts. These injected scripts will execute whenever a user accesses the affected page. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (MEDIUM) with the vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (Wordfence).

When exploited, this vulnerability allows authenticated attackers to inject malicious scripts that execute in users' browsers when they visit the compromised pages. This can lead to potential data theft, session hijacking, or other client-side attacks against site visitors (NVD).

The vulnerability has been patched in version 2025.7 of the Advanced iFrame plugin. Users are advised to update to this version or later to protect against this security issue. The fix includes improved input sanitization and output escaping for the 'additional' parameter (WordPress Plugin).