Affiliation: Miraheze Sysadmins & Security Reviewers
Spotted while chatting to a security reviewer on a trial about their concerns over whether anything would actually work (see https://phabricator.miraheze.org/T6607#130140)
I know it requires LS.php access but it's still a risk.
None of the wgVariables are validated but most concerningly via https://github.com/wikimedia/mediawiki-extensions-Commentbox/blob/master/includes/Hooks.php#L79 ($wgCommentboxRows and $wgCommentboxColumns), you could modify the html.
If someone really wanted to do this, they should just edit the extension properly. The extension should check these are valid numbers. Other wg Variables should also be validated where possible and checked for risks.
Added @Tbleher as they are the author