CVE-2022-3909 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin "Add Comments" up to version 1.0.1. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings inputs. This flaw allows users with high privileges, such as administrators, to inject malicious scripts that are stored persistently within the plugin's data. Notably, this vulnerability can be exploited even when the WordPress capability 'unfiltered_html' is disabled, such as in multisite environments, which typically restricts the ability to post unfiltered HTML content. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 4.8 (medium severity), with vector AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, meaning the attack can be launched remotely over the network with low attack complexity but requires high privileges and user interaction. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the security scope of the vulnerable component. The impact affects confidentiality and integrity to a limited extent but does not affect availability. There are no known exploits in the wild, and no patches or updates have been linked yet. The vulnerability is significant because stored XSS can lead to session hijacking, privilege escalation, or further compromise of the WordPress site, especially when performed by an admin user who already has elevated rights. Since the plugin is not widely known and the vendor is unspecified, the exact prevalence is unclear, but WordPress remains a popular CMS in Europe, and many organizations use plugins to extend functionality, making this a relevant risk vector.

For European organizations using WordPress with the Add Comments plugin, this vulnerability poses a risk primarily to site integrity and confidentiality. An attacker with admin privileges could inject malicious scripts that execute in the context of other administrators or users, potentially leading to credential theft, unauthorized actions, or further malware deployment. In multisite setups common in enterprise or educational environments, the inability to rely on 'unfiltered_html' as a mitigation increases risk exposure. Although the vulnerability does not directly affect availability, the compromise of administrative accounts or data integrity could disrupt operations, damage reputation, and lead to compliance issues under GDPR if personal data is exposed or manipulated. Given the medium CVSS score and requirement for high privileges and user interaction, the threat is more relevant in insider threat scenarios or where admin credentials are compromised. However, the stored nature of the XSS means that once injected, the malicious payload can affect multiple users and persist over time, increasing potential impact. Organizations relying on WordPress for public-facing or internal portals should consider this a moderate risk that could be leveraged as part of a broader attack chain.

1. Immediate mitigation should include auditing WordPress installations to identify the presence of the Add Comments plugin and its version. 2. Since no official patch is linked, organizations should consider disabling or uninstalling the plugin until a secure update is available. 3. Restrict administrative access strictly to trusted personnel and enforce strong authentication mechanisms, such as multi-factor authentication (MFA), to reduce the risk of credential compromise. 4. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. 5. Regularly review and sanitize all plugin settings and inputs, especially those editable by administrators, to detect and remove any injected scripts. 6. Monitor logs and user activity for unusual behavior indicative of XSS exploitation attempts. 7. For multisite environments, review and tighten capability assignments and consider additional input validation layers at the application or web server level. 8. Engage with the WordPress security community or plugin developers to track the release of patches or updates addressing this vulnerability. 9. Educate administrators about the risks of stored XSS and safe content management practices to prevent inadvertent exploitation.