WordPress Plugin Vulnerabilities

Content Views < 3.6.3 - Admin+ Stored XSS

Description

The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
content-views-query-and-display-post-page
Fixed in 3.6.3

References

CVE
CVE-2024-0612
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/aa4377a8-bcf4-45ba-824b-3505bd8e8c61

Classification

Type
CROSS FRAME SCRIPTING
OWASP top 10
A1: Injection
CWE
CWE-80
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
Akbar Kustirama
Verified
No
WPVDB ID
1b7ffac2-a042-4047-b402-2557f8becc94

Timeline

Publicly Published
2024-01-22 (about 2 years ago)
Added
2024-01-24 (about 2 years ago)
Last Updated
2024-01-24 (about 2 years ago)

Other

Published
Title
Published
2025-11-04
Title
Visual Link Preview < 2.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via visual-link-preview Shortcode
Published
2024-04-16
Title
WP Meta SEO < 4.5.13 - Unauthenticated Stored Cross-Site Scripting via Referer header
Published
2025-06-05
Title
Paged Gallery <= 0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-02-13
Title
Happy Addons for Elementor < 3.10.2 - Contributor+ Stored Cross-Site Scripting
Published
2024-03-06
Title
Database for Contact Form 7, WPforms, Elementor forms < 1.3.4 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode