Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Habibur Rahman Comment Form WP – Customize Default Comment Form comment-form-wp allows Stored XSS.This issue affects Comment Form WP – Customize Default Comment Form: from n/a through <= 2.0.1.
Published: 2025-09-05
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Comment Form WP – Customize Default Comment Form plugin, where an attacker can inject malicious script code that is then stored and later rendered by the site. This stored XSS flaw allows the attacker to execute arbitrary JavaScript in the context of any site visitor, potentially leading to defacement, credential theft or session hijacking. The weakness is classified as CWE‑79 and is reflected in a CVSS score of 5.9, indicating moderate severity.

Affected Systems

WordPress users who have installed the Habibur Rahman Comment Form WP – Customize Default Comment Form plugin, version 2.0.1 or earlier, are affected. All prior releases are included in the impact sphere.

Risk and Exploitability

With an EPSS score of less than 1%, the likelihood of an exploit observed in the wild is low, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, the flaw can be exploited via the comment submission interface, where any user who can post comments may inject payloads that persist in the database and trigger when normal visitors view the page. The attack vector is inferred to be from the web interface, and the consequences could affect confidentiality, integrity, and availability for all visitors to pages displaying comments.

Generated by OpenCVE AI on April 30, 2026 at 02:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Comment Form WP – Customize Default Comment Form to the latest release that removes the XSS flaw.
  • If an upgrade cannot be performed immediately, disable the plugin’s comment form or enforce strict moderation to ensure any stored comment content is sanitized before display.
  • Maintain up to date WordPress core and other plugins to reduce exploitation surface and apply any related security patches.

Generated by OpenCVE AI on April 30, 2026 at 02:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26952 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Habibur Rahman Comment Form WP &#8211; Customize Default Comment Form allows Stored XSS. This issue affects Comment Form WP &#8211; Customize Default Comment Form: from n/a through 2.0.0.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Habibur Rahman Comment Form WP &#8211; Customize Default Comment Form comment-form-wp allows Stored XSS.This issue affects Comment Form WP &#8211; Customize Default Comment Form: from n/a through <= 2.0.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Habibur Rahman Comment Form WP – Customize Default Comment Form comment-form-wp allows Stored XSS.This issue affects Comment Form WP – Customize Default Comment Form: from n/a through <= 2.0.1.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Habibur Rahman Comment Form WP &#8211; Customize Default Comment Form allows Stored XSS. This issue affects Comment Form WP &#8211; Customize Default Comment Form: from n/a through 2.0.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Habibur Rahman Comment Form WP &#8211; Customize Default Comment Form comment-form-wp allows Stored XSS.This issue affects Comment Form WP &#8211; Customize Default Comment Form: from n/a through <= 2.0.1.
Title WordPress Comment Form WP – Customize Default Comment Form Plugin <= 2.0.0 - Cross Site Scripting (XSS) Vulnerability WordPress Comment Form WP – Customize Default Comment Form plugin <= 2.0.1 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Mon, 08 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 07 Sep 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 05 Sep 2025 14:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Habibur Rahman Comment Form WP &#8211; Customize Default Comment Form allows Stored XSS. This issue affects Comment Form WP &#8211; Customize Default Comment Form: from n/a through 2.0.0.
Title WordPress Comment Form WP – Customize Default Comment Form Plugin <= 2.0.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:48:08.868Z

Reserved: 2025-09-05T10:49:34.050Z

Link: CVE-2025-58825

cve-icon Vulnrichment

Updated: 2025-09-08T15:26:00.489Z

cve-icon NVD

Status : Deferred

Published: 2025-09-05T14:15:54.430

Modified: 2026-04-28T19:34:17.587

Link: CVE-2025-58825

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T02:30:25Z

Weaknesses