CVE-2025-58825

The Comment Form WP – Customize Default Comment Form plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. Versions through 2.0.1 fail to sanitize or escape input submitted via comment forms, allowing arbitrary HTML and JavaScript to be stored and later executed in the context of the affected site [1].

Exploitation requires a privileged user—such as an administrator—to perform an action like clicking a malicious link, visiting a crafted page, or submitting a specially crafted form. Once the malicious script is stored, it will execute automatically when any visitor loads the page containing the injected content [1].

Successful exploitation enables an attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads, which can compromise site visitors or deface the website. This vulnerability is known to be used in mass-exploit campaigns targeting thousands of WordPress sites regardless of their size or popularity [1].

As an immediate mitigation, users should update the Comment Form WP plugin to version 2.0.2 or later. If updating is not possible, it is recommended to contact the hosting provider or a web developer for assistance [1].