WordPress iframe-embed-v2 Plugin XSS Fix: escape attribute to prevent JavaScript injection

From this webpage screenshot, we can extract the following key information about the vulnerability: 1. Version Information: - Version 1.8: Released on October 7, 2024, fixed the attribute of the tag to prevent JavaScript injection. - Version 1.7: Released on July 10, 2022, fixed the warning when is set but is not used. - Version 1.6: Released on February 21, 2018, added the attribute to . - Version 1.5: Released on March 31, 2017, fixed and JavaScript errors when the auto-resize option is not used. - Version 1.4: Released on November 11, 2016, added query support. - Version 1.3: Released on September 27, 2016, fixed the ignored blur factor when auto-resizing . - Version 1.2: Released on November 6, 2015, fixed the issue where the height parameter was being ignored, thanks to vantron. - Version 1.1: Released on August 11, 2015, fixed the issue of ensuring elements and sub-objects exist before using them. - Version 1.0: Released on May 15, 2015, added shortcode UI support (see https://github.com/fusioneng/Shortcake). 2. Features and Fixes: - Version 1.8: Fixed the tag attribute to prevent JavaScript injection. - Version 1.7: Fixed the warning when is set but is not used. - Version 1.6: Added the attribute to . - Version 1.5: Fixed and JavaScript errors when the auto-resize option is not used. - Version 1.4: Added query support. - Version 1.3: Fixed the ignored blur factor when auto-resizing . - Version 1.2: Fixed the issue where the height parameter was being ignored, thanks to vantron. - Version 1.1: Fixed the issue of ensuring elements and sub-objects exist before using them. - Version 1.0: Added shortcode UI support (see https://github.com/fusioneng/Shortcake). This information indicates that the plugin has undergone multiple fixes and feature improvements during its release cycle to address various security and functional issues.

Goal Reached Thanks to every supporter — we hit 100%!

WordPress iframe-embed-v2 Plugin XSS Fix: escape attribute to prevent JavaScript injection