Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More < 3.7.1 – Contributor+ Stored Cross-Site Scripting via Widget Post Overlay | CVE 2024-3929 | Plugin Vulnerabilities

Description

The Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Widget Post Overlay block in all versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

content-views-query-and-display-post-page

Fixed in 3.7.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5666da4a-ffb6-47ed-8b48-a80f09dd2501

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

wesley (wcraft)

Verified

No

WPVDB ID

b5764e27-2fee-44f2-9932-5b0757b5bafc

Timeline

Publicly Published

2024-04-24 (about 1 year ago)

Added

2024-04-24 (about 1 year ago)

Last Updated

2024-04-24 (about 1 year ago)

Other

Published

Title

Published

2025-09-10

Title

ThemeLoom Widgets <= 1.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-04-17

Title

Coupon Affiliates – Affiliate Plugin for WooCommerce < 6.3.1 - Reflected Cross-Site Scripting via 'commission_summary' Parameter

Published

2024-03-28

Title

Elementor Addon Elements < 1.13.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-10-14

Title

Ad Inserter < 2.7.38 - Reflected Cross-Site Scripting

Published

2023-07-10

Title

Mail Control < 0.3.2 - Unauthenticated Stored XSS via Email Subject