How general should a vulnerability be to be eligible for a CVE?
From the CVE FAQ:
An information security vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network. See the Terminology page for a complete explanation of how this term is used on the CVE Web site.
The intention of CVE is to be comprehensive with respect to all publicly known vulnerabilities and exposures. While CVE is designed to contain mature information, our primary focus is on identifying vulnerabilities and exposures that are detected by security tools and any new problems that become public.
If an individual website was breached, it is unlikely that the website owners will make publicly known. If they did make the details public, and it only affected their own proprietary software, it would be of little value to the public. If the vulnerability was in software used and produced by some vendor (open or closed), then its likely it could be come a CVE.
If a website is breached, that might not be the result of a CVE type attack, but maybe the more generic Common Weakness Enumeration (CWE). For example, if a site was breached by SQL injection or XSS, the specific string would not likely be a CVE, but could be classified under the CWE.
If you are looking for details of specific website attacks, you would want to look for breach reporting, such as the Privacy Right's Clearinghouse's Data Breach List.
The best way to test this would be to try to submit your find and see what the CVE community wants to do with it in their review process.
My understanding is that issues that affect individual websites (say, an XSS on facebook) are not eligible for a CVE, though web applications are. So, an issue that only affects Facebook isn't, but an issue in a web application like WordPress would be.
The application doesn't have to be popular - I once requested a CVE for an application that probably has less than 1,000 users.
You can request a CVE either directly from Mitre or (for open source software) via the oss-security mailing list - if there is a problem, or the issue isn't eligible, they'll let you know.
There are other groups such as OSVDB that track a broader range of issues; though I don't believe they track issues in specific web sites either.