CVE-2020-12696

MEDIUM

iframe < 4.5 - Cross-Site Scripting via URL Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-12696. PoCs published by g-rubert.

AI-analyzed exploit summary This repository contains a writeup for CVE-2020-12696, an authenticated stored XSS vulnerability in the WordPress iframe plugin before version 4.5. The payload demonstrates how unsanitized input can lead to arbitrary JavaScript execution.

Description

The iframe plugin before 4.5 for WordPress does not sanitize a URL.

Exploits (1)

nomisec WRITEUP

by g-rubert · poc

https://github.com/g-rubert/CVE-2020-12696

View Code ZIP pw:eip

This repository contains a writeup for CVE-2020-12696, an authenticated stored XSS vulnerability in the WordPress iframe plugin before version 4.5. The payload demonstrates how unsanitized input can lead to arbitrary JavaScript execution.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress iframe plugin < 4.5

Auth required

Prerequisites: Authenticated access to WordPress · iframe plugin version < 4.5

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Product, Release Notes x_refsource_misc

https://wordpress.org/plugins/iframe/#developers

Third Party Advisory x_refsource_misc

https://guilhermerubert.com/blog/cve-2020-12696/

Scores

CVSS v3 6.1

EPSS 0.0201

EPSS Percentile 78.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

iframe_project/iframe < 4.5

Published May 07, 2020

Tracked Since Feb 18, 2026