Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Gutenberg Blocks, and Widgets for Elementor) Security & Risk Analysis

wordpress.org/plugins/content-views-query-and-display-post-page

Easy to show posts, pages, custom posts in customizable grid, list, slider, accordion... Available as Widgets (for Elementor), Shortcode, and Blocks.

100K active installs v4.3 PHP 5.6+ WP 3.3+ Updated Jan 28, 2026

blockselementorgutenbergpost-gridrecent-posts

A · Safe

CVEs total4

Unpatched0

Last CVESep 5, 2025

Plugin page Download

Safety Verdict

Is Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Gutenberg Blocks, and Widgets for Elementor) Safe to Use in 2026?

Generally Safe

Score 96/100

Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Gutenberg Blocks, and Widgets for Elementor) has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Sep 5, 2025Updated 2mo ago

Risk Assessment

The 'content-views-query-and-display-post-page' plugin v4.3 exhibits a mixed security posture. While it demonstrates some good practices like a high percentage of prepared SQL statements and a significant number of output escaping routines, several critical vulnerabilities are present in its entry points. The static analysis reveals a substantial attack surface with four unprotected entry points: two AJAX handlers and two REST API routes that lack permission callbacks. This is a major concern as it exposes functionalities to unauthorized access and manipulation.

The taint analysis further exacerbates these concerns, indicating two high-severity flows with unsanitized paths. This suggests that user-supplied input could be improperly handled, potentially leading to vulnerabilities like cross-site scripting or other injection attacks if these flows are leveraged through the unprotected entry points. The presence of the `unserialize` function is also a red flag, as it can be a vector for deserialization vulnerabilities if used with untrusted input.

Historically, the plugin has a concerning pattern of medium-severity Cross-Site Scripting (XSS) vulnerabilities, with four known CVEs of this type. Although none are currently unpatched, this history indicates a recurring weakness in input sanitization and output escaping for web page generation. The presence of a recently disclosed vulnerability (2025-09-05) suggests that ongoing security issues are being discovered. Overall, while the plugin employs some secure coding practices, the unprotected entry points, identified taint flows, and historical vulnerability patterns present significant risks that require immediate attention and remediation.

Key Concerns

Unprotected AJAX handlers (2)
Unprotected REST API routes (2)
High severity unsanitized paths (2)
Dangerous function: unserialize
Bundled outdated library: Select2 v3.4.5
History of medium XSS vulnerabilities (4 total)

Vulnerabilities

Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Gutenberg Blocks, and Widgets for Elementor) Security Vulnerabilities

CVEs by Year

3 CVEs in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

4 total CVEs

CVE-2025-8722medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Content Views <= 4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Grid and List Widgets

Sep 5, 2025 Patched in 4.2 (1d)

CVE-2024-4446medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) <= 3.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via pagingType Parameter

May 6, 2024 Patched in 3.7.2 (4d)

CVE-2024-3929medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) <= 3.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Post Overlay

Apr 24, 2024 Patched in 3.7.1 (1d)

CVE-2024-0612medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Content Views <= 3.6.2 - Authenticated(Administrator+) Stored Cross-Site Scripting via settings

Jan 22, 2024 Patched in 3.6.3 (190d)

Code Analysis

Analyzed Mar 16, 2026

Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Gutenberg Blocks, and Widgets for Elementor) Code Analysis

Dangerous Functions

Raw SQL Queries

6 prepared

Unescaped Output

167 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserializereturn unserialize( base64_decode( $data ) );includes\compatibility.php:344

Bundled Libraries

Select23.4.5

SQL Query Safety

86% prepared7 total queries

Output Escaping

77% escaped216 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

6 flows4 with unsanitized paths

ajax_callback_pagination_request (includes\functions.php:1236)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Gutenberg Blocks, and Widgets for Elementor) Attack Surface

Entry Points4

Unprotected4

AJAX Handlers 2

authwp_ajax_contentviews_elementor_search_postelementor\_hooks.php:26

authwp_ajax_contentviews_elementor_get_titleelementor\_hooks.php:27

REST API Routes 2

GET/wp-json/contentviews/v1/block_template_patternblock\template_pattern.php:42

GET/wp-json/contentviews/v1/update_block_template_patternblock\template_pattern.php:54

WordPress Hooks 62

actionadmin_initadmin\content-views-admin.php:50

actionadmin_enqueue_scriptsadmin\content-views-admin.php:53

actionadmin_enqueue_scriptsadmin\content-views-admin.php:54

actionadmin_enqueue_scriptsadmin\content-views-admin.php:55

actionadmin_print_footer_scriptsadmin\content-views-admin.php:56

actionadmin_menuadmin\content-views-admin.php:59

filterpost_row_actionsadmin\content-views-admin.php:73

filtermanage_pt_view_posts_columnsadmin\content-views-admin.php:76

actionmanage_pt_view_posts_custom_columnadmin\content-views-admin.php:77

filterget_edit_post_linkadmin\content-views-admin.php:80

filteradmin_titleadmin\content-views-admin.php:83

actionadmin_initadmin\includes\plugin.php:33

filterblock_categories_allblock\common.php:10

actionenqueue_block_editor_assetsblock\common.php:13

actionadmin_enqueue_scriptsblock\common.php:14

actioninitblock\init.php:30

actioninitblock\old\main.php:13

actionenqueue_block_editor_assetsblock\old\main.php:57

actionrest_api_initblock\template_pattern.php:23

filterthe_contentcontent-views.php:71

filterwidget_textcontent-views.php:72

actionelementor/initelementor\main.php:25

actionelementor/widgets/registerelementor\main.php:42

actionelementor/controls/registerelementor\main.php:43

actionelementor/elements/categories_registeredelementor\main.php:44

filterelementor/editor/localize_settingselementor\main.php:45

actionelementor/editor/after_enqueue_styleselementor\main.php:47

actionelementor/editor/after_enqueue_scriptselementor\main.php:48

actionelementor/preview/enqueue_styleselementor\main.php:49

filterautoptimize_filter_js_deferincludes\compatibility.php:54

filterpt_cv_field_content_excerptincludes\compatibility.php:63

filterpt_cv_field_content_excerptincludes\compatibility.php:76

actioncornerstone_load_builderincludes\compatibility.php:106

actioncornerstone_before_boot_appincludes\compatibility.php:107

actioncornerstone_before_ajaxincludes\compatibility.php:108

actioncornerstone_before_load_previewincludes\compatibility.php:109

filterpt_cv_field_content_fullincludes\compatibility.php:119

filterfacetwp_is_main_queryincludes\compatibility.php:141

actionpre_get_postsincludes\compatibility.php:151

filterpt_cv_before_generate_excerptincludes\compatibility.php:169

actionpt_cv_before_contentincludes\compatibility.php:207

actionpre_get_postsincludes\compatibility.php:215

filteroption_scporder_optionsincludes\compatibility.php:231

filteroption_hicpo_optionsincludes\compatibility.php:239

actionwp_print_stylesincludes\compatibility.php:252

actionpt_cv_add_global_variablesincludes\compatibility.php:352

filterpt_cv_before_generate_excerptincludes\compatibility.php:363

actionpt_cv_get_view_settingsincludes\compatibility.php:373

actiontemplate_redirectincludes\compatibility.php:395

actionpt_cv_view_process_startincludes\compatibility.php:429

actionpt_cv_view_process_endincludes\compatibility.php:440

filterpaginate_linksincludes\functions.php:1388

filterwp_get_attachment_image_attributesincludes\hooks.php:39

actionwp_print_footer_scriptsincludes\html.php:798

actioninitpublic\content-views.php:45

actioninitpublic\content-views.php:48

actionwpmu_new_blogpublic\content-views.php:51

actionwp_enqueue_scriptspublic\content-views.php:54

actionwp_enqueue_scriptspublic\content-views.php:55

actionwp_headpublic\content-views.php:58

actionwp_footerpublic\content-views.php:61

actionwp_footerpublic\content-views.php:64

Scheduled Events 1

contentviews_block_cron

Maintenance & Trust

Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Gutenberg Blocks, and Widgets for Elementor) Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 28, 2026

PHP min version5.6

Downloads5.1M

Community Trust

Rating96/100

Number of ratings333

Active installs100K

Alternatives

Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Gutenberg Blocks, and Widgets for Elementor) Alternatives

FancyPost – Post Blocks, Grids & Sliders for Block Editor and Elementor

post-block

FancyPost provides advanced post blocks, grids, layouts, carousels, and sliders for Block Editor & Elementor. Includes featured posts and sliders.

600 1 unpatched

PostCrafts – Advanced Post Blocks to Highlight, Summarize and Beautifully Organize Your Posts

postcrafts

100

PostCrafts is the best post grid, blog designer, news, magazine, and WordPress blog plugin that comes with various Gutenberg blocks.

0 No CVEs

ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin

woolentor-addons

ShopLentor – More than a WooCommerce builder. A complete growth plugin to boost conversions, UX, and sales for your store.

90K 24 CVEs

UiCore Animate – Free Animations, Transitions, and Interactions Addon for Elementor & Gutenberg blocks

uicore-animate

100

UiCore Animate adds page transitions, smooth scroll, and engaging animations to Elementor and Gutenberg blocks, for smoother, engaging experiences.

40K No CVEs

WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder

wdesignkit

3000+ Elementor Templates, Gutenberg Templates, Widgets Builder for Elementor, Gutenberg & Bricks, Cloud Workspace & Figma Files, 160+ Widgets Library

30K 3 CVEs

Developer Profile

Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Gutenberg Blocks, and Widgets for Elementor) Developer Profile

Content Views

1 plugin · 100K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

49 days

View full developer profile

Detection Fingerprints

How We Detect Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Gutenberg Blocks, and Widgets for Elementor)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/content-views-query-and-display-post-page/assets/css/menu.css/wp-content/plugins/content-views-query-and-display-post-page/assets/css/admin.css/wp-content/plugins/content-views-query-and-display-post-page/assets/css/wp38.css/wp-content/plugins/content-views-query-and-display-post-page/assets/css/backend.css/wp-content/plugins/content-views-query-and-display-post-page/assets/css/frontend.css/wp-content/plugins/content-views-query-and-display-post-page/assets/js/backend.js/wp-content/plugins/content-views-query-and-display-post-page/assets/js/frontend.js/wp-content/plugins/content-views-query-and-display-post-page/assets/js/backend-add-edit-view.js+2 more

Script Paths

/wp-content/plugins/content-views-query-and-display-post-page/assets/js/backend.js/wp-content/plugins/content-views-query-and-display-post-page/assets/js/frontend.js/wp-content/plugins/content-views-query-and-display-post-page/assets/js/backend-add-edit-view.js/wp-content/plugins/content-views-query-and-display-post-page/assets/js/backend-all-views.js/wp-content/plugins/content-views-query-and-display-post-page/assets/js/frontend-view.js

Version Parameters

content-views-query-and-display-post-page/assets/css/menu.css?ver=content-views-query-and-display-post-page/assets/css/admin.css?ver=content-views-query-and-display-post-page/assets/css/wp38.css?ver=content-views-query-and-display-post-page/assets/css/backend.css?ver=content-views-query-and-display-post-page/assets/css/frontend.css?ver=content-views-query-and-display-post-page/assets/js/backend.js?ver=content-views-query-and-display-post-page/assets/js/frontend.js?ver=content-views-query-and-display-post-page/assets/js/backend-add-edit-view.js?ver=content-views-query-and-display-post-page/assets/js/backend-all-views.js?ver=content-views-query-and-display-post-page/assets/js/frontend-view.js?ver=

HTML / DOM Fingerprints

CSS Classes

cv-add-newcv-views-add-editcv-add-new-view-buttoncv-view-shortcode-containercv-view-settings

HTML Comments

<!-- Content Views --

Data Attributes

data-cv-view-iddata-cv-post-id

JS Globals

cv_argsPT_CV_AJAX_URLPT_CV_POST_TYPE

Shortcode Output

[cv_view

FAQ

Frequently Asked Questions about Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Gutenberg Blocks, and Widgets for Elementor)