Login Sign Up

CVE-2024-12874

4.8 MEDIUM
Cross-Site Scripting

📋 TL;DR

The Top Comments WordPress plugin through version 1.0 contains a stored cross-site scripting (XSS) vulnerability in its settings. This allows authenticated administrators to inject malicious scripts that execute when other users view affected pages, even in WordPress multisite configurations where unfiltered_html is restricted. The vulnerability affects WordPress sites using this plugin.

💻 Affected Systems

Products:
  • Top Comments WordPress Plugin
Versions: All versions through 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the Top Comments plugin enabled. Exploitation requires admin-level privileges.

📦 What is this software?

Top Comments by Top Comments Project

View all CVEs affecting Top Comments →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with admin privileges could inject malicious JavaScript that steals session cookies, redirects users to phishing sites, or performs actions on behalf of authenticated users, potentially leading to full site compromise.

🟠

Likely Case

Malicious admin injects tracking scripts or defaces the site by modifying content visible to other users through the comments section.

🟢

If Mitigated

With proper user access controls and plugin restrictions, impact is limited to the specific admin user's actions within their authorized scope.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated admin access. The vulnerability is in plugin settings that aren't properly sanitized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.1 or later

Vendor Advisory: https://wpscan.com/vulnerability/7cc14a87-4605-49f6-9d51-0b9eb57e6c9d/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Top Comments' plugin. 4. Click 'Update Now' if update available. 5. Alternatively, deactivate and delete plugin if no longer needed.

🔧 Temporary Workarounds

Remove Plugin

all

Deactivate and delete the vulnerable plugin

wp plugin deactivate top-comments
wp plugin delete top-comments

Restrict Admin Access

all

Implement strict access controls and monitor admin user activities

🧯 If You Can't Patch

  • Remove the Top Comments plugin entirely from the WordPress installation
  • Implement strict monitoring of admin user activities and plugin settings changes

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'Top Comments' plugin version 1.0 or earlier

Check Version:

wp plugin list --name=top-comments --field=version

Verify Fix Applied:

Verify plugin version is 1.0.1 or later in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

  • Unusual modifications to plugin settings
  • Admin user making unexpected changes to comment-related settings

Network Indicators:

  • Suspicious JavaScript payloads in HTTP POST requests to wp-admin/admin-ajax.php or similar endpoints

SIEM Query:

source="wordpress" AND (plugin="top-comments" AND version<="1.0")

📊 Metadata

CVE ID: CVE-2024-12874
CVSS v3 Score: 4.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.05% exploit probability (13.7th percentile)
Published: May 15, 2025
Last Updated: June 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12874, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)