Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Post Overlay – CVE-2024-3929 | WordPress Plugin Vulnerability Report –

Plugin Name: Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode)

Key Information:

  • Software Type: Plugin
  • Software Slug: content-views-query-and-display-post-page
  • Software Status: Active
  • Software Author: pt-guy
  • Software Downloads: 4,315,608
  • Active Installs: 100,000
  • Last Updated: May 10, 2024
  • Patched Versions: 3.7.1
  • Affected Versions: <= 3.7.0

Vulnerability Details:

  • Name: Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) <= 3.7.0
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Post Overlay
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-3929
  • CVSS Score: 6.4
  • Publicly Published: April 24, 2024
  • Researcher: wesley
  • Description: The plugin is vulnerable to Stored Cross-Site Scripting via the Widget Post Overlay block in all versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This vulnerability allows authenticated attackers, with contributor-level access or higher, to inject arbitrary web scripts in pages that execute whenever a user accesses an injected page.

Summary:

The Content Views plugin for WordPress has a vulnerability in versions up to and including 3.7.0 that enables stored cross-site scripting via the Widget Post Overlay. This vulnerability has been patched in version 3.7.1.

Detailed Overview:

This vulnerability, discovered by researcher Wesley, occurs in the Widget Post Overlay block where insufficient sanitization and escaping of user inputs can allow harmful scripts to be stored and executed. This represents a significant risk as it enables attackers with at least contributor-level access to execute scripts that can affect users viewing the infected pages. The remediation of this vulnerability was swiftly handled by the developers with an update to version 3.7.1.

Advice for Users:

  • Immediate Action: Update to version 3.7.1 immediately to address this vulnerability.
  • Check for Signs of Vulnerability: Review your site for unusual or unauthorized content in Widget Post Overlay blocks.
  • Alternate Plugins: While a patch is available, consider using alternative plugins offering similar functionality as a precaution.
  • Stay Updated: Regularly update your plugins to the latest versions to mitigate vulnerabilities.

Conclusion:

The quick response from the developers of Content Views to patch this vulnerability highlights the critical nature of maintaining up-to-date software. Users should immediately upgrade to version 3.7.1 or later to ensure their WordPress installations are secure.

References:

Detailed Report: 

In today's digital landscape, the security of your website is paramount. With cyber threats evolving rapidly, staying vigilant by regularly updating your website’s components is not just advisable—it’s essential. The recent discovery of a critical vulnerability in the widely-used WordPress plugin, Content Views – Post Grid & Filter, serves as a timely reminder of the potential risks. Known as CVE-2024-3929, this security flaw highlights the dangers of outdated software and the necessity of proactive security measures to protect your business and its online presence.

Plugin Overview:

The plugin in question, Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode), is a popular WordPress tool used to create attractive post grids and layouts. With over 100,000 active installs and more than four million downloads, its impact is significant across many WordPress sites. The plugin helps users display content in dynamic, customizable grids without needing to code, making it especially popular among small business owners looking to enhance their site's visual appeal and functionality.

The vulnerability allowed authenticated users with contributor-level access or higher to inject arbitrary web scripts through the Widget Post Overlay feature. This could enable attackers to manipulate website content or steal sensitive information from unsuspecting users.

Risks and Potential Impacts:

This type of vulnerability—stored cross-site scripting (XSS)—poses significant risks. It can lead to unauthorized access, data theft, and manipulation of website content, potentially damaging your business’s reputation and eroding customer trust. The fact that it requires a lower level of authentication (contributor level) to exploit makes it even more threatening for websites that have multiple users with content editing capabilities.

How to Remediate the Vulnerability:

  1. Immediate Action: Update the plugin to version 3.7.1, which contains the necessary fix.
  2. Check for Signs of Compromise: Review your site for any unusual or unauthorized changes to the Widget Post Overlay blocks.
  3. Regular Monitoring: Keep an eye on user activities and content updates within your site.
  4. Security Best Practices: Regularly update all plugins, themes, and the WordPress core. Utilize security plugins to monitor and protect your site.

Previous Vulnerabilities:

This isn’t the first time vulnerabilities have been found in the Content Views plugin. A previous issue was reported and patched earlier in January 2024, underlining the importance of regular updates and monitoring for new patches.

Conclusion:

For small business owners, finding the time to regularly update and monitor every aspect of your WordPress site can be challenging. However, the security of your site should never be compromised. Automating updates where possible, using reliable security plugins, and occasionally consulting with cybersecurity professionals can help safeguard your online assets without overwhelming your schedule. Staying on top of these updates is crucial—not just to protect your site, but to ensure the continuity and security of your business in the digital world.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Post Overlay – CVE-2024-3929 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment