The plugin does not escape Field Error Message, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Create/edit a Comment Fields (Comments > Comment Fields) and put the following payload in the Error Message setting: "autofocus onfocus=alert(/XSS/)// The XSS will be triggered in any post
CPE | Name | Operator | Version |
---|---|---|---|
wp-comment-fields | lt | 4.1 |