WordPress Plugin Vulnerabilities

Comments – wpDiscuz < 7.6.22 - Unauthenticated HTML Injection

Description

The Comments – wpDiscuz plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 7.6.21. This is due to a lack of filtering of HTML tags in comments. This makes it possible for unauthenticated attackers to add HTML such as hyperlinks to comments when rich editing is disabled.

Affects Plugins

Plugin icon
wpdiscuz
Fixed in 7.6.22

References

CVE
CVE-2024-6704
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/fa3501a4-7975-4f90-8037-f8a06c293c07

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Tieu Pham Trong Nhan (aptx4869)
Verified
No
WPVDB ID
66542876-77ae-442d-acde-2aac642f1d36

Timeline

Publicly Published
2024-08-01 (about 1 year ago)
Added
2024-08-01 (about 1 year ago)
Last Updated
2024-08-02 (about 1 year ago)

Other

Published
Title
Published
2020-08-06
Title
Konzept < 2.5 - Unauthenticated Reflected XSS
Published
2024-03-15
Title
ElementsKit Elementor addons < 3.0.5 - Contributor+ Stored XSS
Published
2024-05-07
Title
Beaver Builder – WordPress Page Builder < 2.8.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2017-01-17
Title
Moreads Se < 1.4.7 - XSS
Published
2024-12-05
Title
Tydskrif <= 1.1.3 - Reflected Cross-Site Scripting