Critical Vulnerability Information Description Vulnerability Type: Stored Cross-Site Scripting (XSS) Affected Plugin: Top Comments <= 1.0 Issue: The plugin does not sanitize or escape certain settings, allowing high-privilege users (such as administrators) to perform stored XSS attacks, even when the capability is disabled (e.g., in multisite environments). Proof of Concept 1. Navigate to the plugin section and click on Top Comments. 2. In the buttons section, input: 3. Click Save Settings. 4. View a post and add a comment (content can be arbitrary). 5. Once you click to publish the comment and it gets approved, an alert box displaying "cursedwashere" will appear. Affected Plugin Plugin Name: top-comments Fix Status: No known fix available References CVE ID: CVE-2024-12874 Classification Type: XSS OWASP Top 10: A7: Cross-Site Scripting (XSS) CWE ID: CWE-79 CVSS Score: 3.5 (Low) Additional Information Original Researchers: Steven Pereira (Cursed271) & Muktanand Kale (Muktimantras) Submitter Website: https://cursedsec.com/ Verification Status: Verified WPVDB ID: 7cc14a87-4605-49f6-9d51-0b9eb57e6c9d Timeline Public Disclosure Date: 2024-11-22 Added Date: 2025-01-02 Last Updated Date: 2025-01-07