The CMS Tree Page View plugin for WordPress has a Reflected Cross-Site Scripting vulnerability up to version 1.6.7. This is due to the post_type parameter not properly escaping user input. As a result, users with administrator privileges or higher can inject JavaScript code that will execute whenever accessed.
View the template here CVE-2023-30868.yaml
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-30868