Stored XSS in iframe allows less privileged users to do almost anything an admin can


Last revised:

Users without the unfiltered_html capability are able to insert arbitrary HTML into pages and thus exceed the privileges they were granted.

Current state: Reported

CVSS Summary

CVSS base scores for this vulnerability
Score 5.5 Medium
Vector Network
Complexity Low
Authentication Single
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Insert the following into a post:

[iframe src="" width="100%" height="500" onload="alert(1)"]

Advisory timeline

  • 2015-07-31: Discovered
  • 2015-08-05: Reported to vendor via web form on
  • 2015-08-06: Vendor responded
  • 2015-08-10: Vendor reported fixed in version 4.0 but this does not address the issue: the plugin is still vulnerable.
  • 2015-08-10: Published

Mitigation/further actions

Disable the plugin until a new version is released that fixes this bug.

The vendor has released version 4.0 in which onload is disabled, but the other ‘event’ attributes are still permitted, including onpageshow. A number of these event attributes could be used to execute this attack, so this issue is not resolved (registered as CVE-2015-6739).