The TS Comfort DB plugin for WordPress contains an improper neutralization of user input that allows a malicious attacker to inject arbitrary JavaScript into the pages that it generates. When a specially constructed query string, form field, or parameter is reflected by the plugin, the inserted script runs in the browser of any visitor who loads that page, potentially resulting in session hijacking, data theft, or site defacement. This flaw is classified as CWE‑79 and directly compromises the confidentiality and integrity of user interactions with the site.

WordPress installations that employ the TS Comfort DB plugin from its earliest releases up through version 2.0.7 are vulnerable. Any deployment that has not yet upgraded past that point should be considered impacted.

The CVSS score of 7.1 indicates a high severity level. The EPSS score is below 1 %, implying that, at present, exploitation is unlikely but not impossible. The likelihood of exploitation follows a remote path, with an attacker needing to lure a user to a maliciously crafted URL or form that the plugin reflects. Successful exploitation would allow the execution of arbitrary client‑side code in the victim’s browser, undermining trust and possibly leading to credential compromise. This vulnerability is not listed in the CISA KEV catalog.