Cyber Resilience

CVE-2024-6704

Medium

Published: 02 August 2024

Published
02 August 2024
Modified
05 June 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0843 92.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-6704 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Gvectors Wpdiscuz. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Comments – wpDiscuz plugin for WordPress is vulnerable to HTML Injection in all versions up to and including 7.6.21. The issue stems from insufficient filtering of HTML tags in comments, which permits injection of arbitrary markup when rich editing is disabled. The flaw is tracked as CWE-79 and carries a CVSS 3.1 score of 5.3.

Unauthenticated attackers with network access can exploit the weakness to insert HTML elements such as hyperlinks into published comments. Because the attack requires no authentication or user interaction and targets integrity only, an adversary could alter comment content to redirect readers or degrade the trustworthiness of discussion threads on affected sites.

Public references point to a WordPress plugin changeset that addresses the lack of tag filtering, indicating that updating to a corrected release mitigates the exposure. The associated EPSS score has remained flat at 0.0843 with no material increase since disclosure.

EU & UK References

Vulnerability details

The Comments – wpDiscuz plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 7.6.21. This is due to a lack of filtering of HTML tags in comments. This makes it possible for unauthenticated attackers…

more

to add HTML such as hyperlinks to comments when rich editing is disabled.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gvectors
wpdiscuz
≤ 7.6.22

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References