The vulnerability is a Server Side Request Forgery (CWE‑918) that allows an attacker to trigger the plugin to send HTTP requests to arbitrary URLs from the WordPress server. This could expose internal resources, exfiltrate data, or be used to conduct further attacks such as accessing hidden services or leaking sensitive information. The impact is primarily on the confidentiality of data accessed by the server and the availability of the application if the plugin can be abused to overwhelm the server with requests.

The affected product is Ronald Huereca’s Comment Edit Core – Simple Comment Editing plugin for WordPress. All installed instances of the plugin with a version number up to and including 3.0.33 are vulnerable; versions newer than 3.0.33 are presumed to have fixed the issue.

The CVSS score of 4.4 indicates a low to moderate severity. The EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be exploitation of the comment editing functionality, where a crafted request can cause the plugin to forward traffic to an attacker‑controlled endpoint. Successful exploitation would require the ability to influence the editing interface on the affected site.