Stored Cross-Site Scripting Vulnerability in Calculated Fields Form Plugin for WordPress
CVE-2024-2020

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Calculated Fields Form
Vendor: CVE Published:; 13 March 2024

Summary

The Calculated Fields Form plugin for WordPress contains a vulnerability that exposes users to Stored Cross-Site Scripting (XSS) attacks. This flaw occurs due to inadequate input sanitization and output escaping in the form page's href parameter. An unauthenticated attacker can exploit this vulnerability to inject malicious web scripts into pages, which will execute when a victim accesses the compromised page. To successfully exploit this vulnerability, the perpetrator must possess the professional version of the plugin or higher.

Affected Version(s)

Calculated Fields Form * <= 5.1.56

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/calculated-fields-form/#dev...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Mar 13, 2024
Vulnerability Reserved
Feb 29, 2024

Credit

Asaf Mozes