CVE-2024-0612: 
WordPress vulnerability analysis and mitigation

The Content Views – Post Grid, Slider, Accordion (Gutenberg Blocks and Shortcode) plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-0612) affecting all versions up to and including 3.6.2. The vulnerability was discovered in January 2024 and publicly disclosed on February 5, 2024. This security issue specifically affects WordPress installations with multi-site configurations or where unfiltered_html has been disabled (NVD CVE).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's admin settings. It has been assigned a CVSS v3.1 base score of 4.8 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. Wordfence has assigned a slightly different CVSS score of 4.4 (Medium) with a vector string of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD CVE, WPScan).

When exploited, this vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD CVE).

The vulnerability has been patched in version 3.6.3 of the Content Views plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).