WordPress Zero Spam [Unauthenticated Persistent XSS]
This plugin provides a feature to block comments that look like spam. This
feature logs any comment that was marked as spam. The logged attempts are
accessible in admin panel under Settings → Zero Spam → Spammer Log
$_SERVER['REQUEST_URI'] is not properly sanitized before stored in DB or
printed on screen.
curl 'http://sbwp4.dev/wp-comments-post.php/<script>alert(1)</script>' \ -d 'email@example.com&submit=Post+Comment&comment_post_ID=1&comment_parrent=0'