diff --git a/ghost/admin/app/components/gh-billing-iframe.js b/ghost/admin/app/components/gh-billing-iframe.js
index c807fc4bcb..9bf2121008 100644
--- a/ghost/admin/app/components/gh-billing-iframe.js
+++ b/ghost/admin/app/components/gh-billing-iframe.js
@@ -20,7 +20,8 @@ export default class GhBillingIframe extends Component {
         this.billing.getBillingIframe().src = this.billing.getIframeURL();
 
         window.addEventListener('message', (event) => {
-            if (event?.data) {
+            // only process messages coming from the billing iframe
+            if (event?.data && this.billing.getIframeURL().includes(event?.origin)) {
                 if (event.data?.request === 'token') {
                     this._handleTokenRequest();
                 }
diff --git a/ghost/admin/app/components/gh-explore-iframe.js b/ghost/admin/app/components/gh-explore-iframe.js
index 446e2c63d8..1da969309a 100644
--- a/ghost/admin/app/components/gh-explore-iframe.js
+++ b/ghost/admin/app/components/gh-explore-iframe.js
@@ -12,7 +12,8 @@ export default class GhExploreIframe extends Component {
         this.explore.getExploreIframe().src = this.explore.getIframeURL();
 
         window.addEventListener('message', async (event) => {
-            if (event?.data) {
+            // only process messages coming from the explore iframe
+            if (event?.data && this.explore.getIframeURL().includes(event?.origin)) {
                 if (event.data?.request === 'apiUrl') {
                     this._handleUrlRequest();
                 }
diff --git a/ghost/admin/app/services/explore.js b/ghost/admin/app/services/explore.js
index f8f9d73c20..0621b5ce72 100644
--- a/ghost/admin/app/services/explore.js
+++ b/ghost/admin/app/services/explore.js
@@ -67,7 +67,7 @@ export default class ExploreService extends Service {
             }
         }
 
-        return url += '/';
+        return url;
     }
 
     // Sends a route update to a child route in the BMA, because we can't control