CVE-2021-38336: 
WordPress vulnerability analysis and mitigation

The Edit Comments XT WordPress plugin (versions up to and including 1.0) was identified with a Reflected Cross-Site Scripting vulnerability, tracked as CVE-2021-38336. The vulnerability was discovered and reported by researcher p7e4, with the initial disclosure occurring on September 9, 2021. The vulnerability affects the plugin's handling of the $SERVER["PHPSELF"] value in the ~/edit-comments-xt.php file (NVD, Wordfence).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue stems from improper handling of the $SERVER["PHPSELF"] variable in the edit-comments-xt.php file, which can be exploited to inject malicious web scripts (NVD).

When successfully exploited, this vulnerability allows attackers to inject arbitrary web scripts into the application, potentially affecting users who interact with the compromised plugin interface. The CVSS scoring indicates low impact on both confidentiality and integrity, with no impact on availability (NVD).

As of the latest reports, no official patch has been released for this vulnerability. Users of the Edit Comments XT WordPress plugin should consider removing or disabling the plugin until a security update becomes available (Wordfence).