CVE-2025-8722
Content Views <= 4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Grid and List WidgetsThe Content Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Grid and List widgets in all versions up to, and including, 4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
We have discovered 16,221 live websites that are affected by CVE-2025-8722.
Affected Software
| Product | |
| Category | Wordpress Plugins |
| Vulnerable Domains | 16,221 live websites (38% of Content Views install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 79 versions ( 96% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Sep 6, 2025
- Updated - Sep 8, 2025
Credits
- Craig Smith (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-8722 United States | 3,859 websites |
 Netherlands | 2,574 websites |
 Germany | 1,310 websites |
 Russia | 1,062 websites |
 Italy | 608 websites |
 France | 602 websites |
 Japan | 577 websites |
 GB | 486 websites |
 Belgium | 426 websites |
 Spain | 368 websites |
Website Distribution by TLD
Number of websites using CVE-2025-8722| .com | 5,251 websites |
| .nl | 2,499 websites |
| .org | 944 websites |
| .ru | 897 websites |
| .de | 800 websites |
| .it | 419 websites |
| .be | 405 websites |
| .net | 399 websites |
| .co.uk | 249 websites |
| .es | 222 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-8722
Top websites that are affected by CVE-2025-8722. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******.es | Spain | *,*** | |
| ********.com | United States | **,*** | |
| ******.com | United States | **,*** | |
| *******.com | United States | **,*** | |
| ****.***.org | United States | **,*** | |
| *****.app |  Bulgaria | **,*** | |
| *******.com | United States | **,*** | |
| *********.com | United States | **,*** | |
| ************.it | United States | **,*** | |
| *********************.com | United States | **,*** |
FAQ
CVE-2025-8722 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Content Views
A total of 16,221 websites have been identified as vulnerable to CVE-2025-8722, based on global website indexing conducted by WebTechSurvey.
The Content Views is affected by the CVE-2025-8722 vulnerability.
Content Views versions up to and including 4.1 are vulnerable to CVE-2025-8722.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/12443e0c-2a03-4f62-bf89-cf0497f44a26?source=cve
- https://plugins.trac.wordpress.org/browser/content-views-query-and-display-post-page/trunk/elementor/render.php#L30
- https://wordpress.org/plugins/content-views-query-and-display-post-page/#developers
- https://plugins.trac.wordpress.org/changeset/3350005/