The vulnerability is a Cross‑Site Request Forgery flaw that allows an attacker to inject malicious JavaScript into the plugin’s stored comment notifications. By forging an authenticated request, the attacker can persist a script that is executed when an administrator subsequently views the affected page, enabling session hijack, defacement, or credential theft. The attack requires the attacker to supply a forged request and rely on an existing administrator session to store the payload.

All installations of the scweber Custom Comment Notifications plugin running version 1.0.8 or earlier on WordPress hosts are affected. The plugin is commonly used in sites that manage comment moderation or notification workflows.

With a CVSS score of 7.1, the flaw presents a medium‑to‑high risk level. The EPSS score of less than 1% indicates a low probability of exploitation in the wild at present, and the vulnerability is not listed in the CISA KEV catalog, meaning no known widespread attacks have been reported. The attacker would need to target an administrator or a user with the ability to trigger the vulnerable action, typically by embedding a malicious link that submits the forged request. Once the stored script runs in the admin browser context, the attacker gains full control over the victim’s session and can execute arbitrary JavaScript.