CVE-2024-6704 – The wpDiscuz WordPress plugin allows unauthenti... (How to Fix)

Q: What is the severity of CVE-2024-6704?

CVE-2024-6704 has a CVSS score of 5.3 (MEDIUM). The wpDiscuz WordPress plugin allows unauthenticated attackers to inject HTML code into comments when rich editing is disabled. This affects all WordPress sites using wpDiscuz versions up to 7.6.21. Attackers can embed malicious hyperlinks or other HTML elements in comments.

📋 TL;DR

The wpDiscuz WordPress plugin allows unauthenticated attackers to inject HTML code into comments when rich editing is disabled. This affects all WordPress sites using wpDiscuz versions up to 7.6.21. Attackers can embed malicious hyperlinks or other HTML elements in comments.

💻 Affected Systems

Products:

Comments – wpDiscuz WordPress Plugin

Versions: All versions up to and including 7.6.21

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable when rich editing is disabled in wpDiscuz settings. WordPress core is not affected.

📦 What is this software?

Wpdiscuz by Gvectors

View all CVEs affecting Wpdiscuz →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could embed malicious JavaScript that steals user credentials or session cookies when users view comments, leading to account compromise.

🟠

Likely Case

Attackers inject spam links or phishing URLs in comments to redirect users to malicious sites or promote scams.

🟢

If Mitigated

With proper HTML sanitization or plugin updates, only plain text comments are allowed, preventing HTML injection.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires no authentication and minimal technical skill - attackers simply post comments containing HTML tags.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.6.22

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3124810/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find wpDiscuz and click 'Update Now'. 4. Verify version is 7.6.22 or higher.

🔧 Temporary Workarounds

Disable wpDiscuz Comments

all

Temporarily disable the wpDiscuz plugin until patched

wp plugin deactivate wpdiscuz

Enable Rich Editing

all

Enable rich editing in wpDiscuz settings to bypass the vulnerable code path

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block HTML tags in comment submissions
Moderate all comments before publication to manually review for HTML content

🔍 How to Verify

Check if Vulnerable:

Check wpDiscuz plugin version in WordPress admin panel under Plugins → Installed Plugins

Check Version:

wp plugin get wpdiscuz --field=version

Verify Fix Applied:

Verify wpDiscuz version is 7.6.22 or higher and test submitting comments with HTML tags - they should be stripped or escaped

📡 Detection & Monitoring

Log Indicators:

Unusual comment submissions containing HTML tags
Multiple comment attempts from single IPs

Network Indicators:

HTTP POST requests to comment submission endpoints with HTML payloads

SIEM Query:

source="wordpress" AND (uri_path="/wp-comments-post.php" OR uri_path CONTAINS "wpdiscuz") AND http_method="POST" AND (body CONTAINS "<a href=" OR body CONTAINS "<script>" OR body CONTAINS "<img")

📊 Metadata

CVE ID: CVE-2024-6704

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-79

Published: August 2, 2024

Last Updated: June 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6704, you might also want to check these: