Stored Cross-Site Scripting Vulnerability in Calculated Fields Form for WordPress
CVE-2023-6446
4.8MEDIUM
Summary
The Calculated Fields Form plugin for WordPress has a vulnerability in its admin settings that permits stored cross-site scripting due to inadequate input sanitization and output escaping. This vulnerability is exploitable by authenticated attackers with admin-level privileges, allowing them to embed harmful scripts into pages viewed by users. It particularly affects multi-site installations and those configurations where the 'unfiltered_html' capability is disabled. When compromised, this potentially leads to unauthorized execution of scripts, risking user data and site integrity.
Affected Version(s)
Calculated Fields Form * <= 1.2.40
References
CVSS V3.1
Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
emad