The iframe plugin prior to 4.5 for WordPress does not sanitize a URL.
iframe project iframe
Stored Cross Site Scripting - Iframe Plugin - WordPress
CVE-2020-12696 ██╗ ██╗███████╗███████╗ ╚██╗██╔╝██╔════╝██╔════╝ ╚███╔╝ ███████╗███████╗ ██╔██╗ ╚════██║╚════██║ ██╔╝ ██╗███████║███████║ ╚═╝ ╚