Stored Cross-Site Scripting Vulnerability in Calculated Fields Form for WordPress
CVE-2023-6446
4.8MEDIUM
What is CVE-2023-6446?
The Calculated Fields Form plugin for WordPress has a vulnerability in its admin settings that permits stored cross-site scripting due to inadequate input sanitization and output escaping. This vulnerability is exploitable by authenticated attackers with admin-level privileges, allowing them to embed harmful scripts into pages viewed by users. It particularly affects multi-site installations and those configurations where the 'unfiltered_html' capability is disabled. When compromised, this potentially leads to unauthorized execution of scripts, risking user data and site integrity.
Affected Version(s)
Calculated Fields Form * <= 1.2.40