CVE-2025-8722
Description
The Content Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Grid and List widgets in all versions up to, and including, 4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in Content Views plugin for WordPress allows authenticated contributors to inject arbitrary scripts via Grid and List widgets.
The Content Views plugin for WordPress, up to version 4.1, contains a Stored Cross-Site Scripting (XSS) vulnerability in its Grid and List widgets. The root cause is insufficient input sanitization and output escaping on user-supplied attributes, allowing malicious script injection [1].
To exploit this vulnerability, an attacker must have at least contributor-level access to the WordPress site. By crafting a widget with specially crafted attributes, the attacker can inject arbitrary web scripts that are stored on the server. When any user, including administrators, visits the affected page, the injected script executes in their browser [1].
The impact of successful exploitation includes the execution of arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, or redirection to malicious sites, potentially compromising the entire WordPress installation [1].
As of the publication date, the vulnerability affects all versions up to and including 4.1. Users are advised to update to the latest patched version of the plugin if available. No workaround has been provided, so updating is the recommended mitigation [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=4.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/content-views-query-and-display-post-page/trunk/elementor/render.phpnvd
- plugins.trac.wordpress.org/changeset/3350005/nvd
- wordpress.org/plugins/content-views-query-and-display-post-page/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/12443e0c-2a03-4f62-bf89-cf0497f44a26nvd
News mentions
0No linked articles in our index yet.