CVE-2024-12874: 
WordPress vulnerability analysis and mitigation

The Top Comments WordPress plugin through version 1.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by Steven Pereira (Cursed271) & Muktanand Kale (Muktimantras) and was assigned CVE-2024-12874 (WPScan).

The vulnerability exists due to improper sanitization and escaping of settings in the Top Comments WordPress plugin. This security flaw allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks even in environments where the unfiltered_html capability is disabled, such as in multisite setups. The vulnerability has been assigned a CVSS score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (WPScan, Wiz).

When exploited, this vulnerability allows privileged users to inject and store malicious JavaScript code through the plugin's settings interface. The stored XSS payload will then execute when other users view affected pages, potentially leading to session hijacking, credential theft, or other client-side attacks (Wiz).

Currently, there is no known fix available for this vulnerability. Users of the Top Comments WordPress plugin should consider either removing the plugin or implementing additional security controls to restrict access to the plugin's settings (Wiz).