An attacker can exploit a stored cross‑site scripting flaw in the Custom Comment plugin, enabling injection of arbitrary client‑side script that will be executed in the browser of any user viewing a comment. The vulnerability arises from improper input neutralization during web page generation, allowing malicious payloads to be saved and later served as part of the page content. The impact is loss of client‑side confidentiality and integrity for users, potential redirection, data theft, or session hijacking, while the affected code does not compromise the server itself. This weakness is classified as CWE‑79.

The issue exists in the Custom Comment plugin by imaprogrammer, version 2.1.6 and earlier. Any WordPress site that has this plugin installed without upgrading beyond 2.1.6 is vulnerable. Version data from the CNA confirms the affected range but no further sub‑version detail is provided.

The CVSS score of 5.9 indicates a moderate severity, yet the EPSS score of less than 1% implies a very low probability of exploitation at the time of assessment. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed malicious exploitation in the wild. Likely attack vectors involve a remote attacker submitting a comment or callback that contains the malicious payload; when the comment is stored, browsers of any site visitor will execute the embedded script. Successful exploitation typically requires that the target WordPress site allows comment submission and that users visit the affected comment page.