Stored Cross-Site Scripting Vulnerability in Calculated Fields Form Plugin for WordPress
CVE-2024-2020

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Calculated Fields Form
Vendor: CVE Published:; 13 March 2024

What is CVE-2024-2020?

The Calculated Fields Form plugin for WordPress contains a vulnerability that exposes users to Stored Cross-Site Scripting (XSS) attacks. This flaw occurs due to inadequate input sanitization and output escaping in the form page's href parameter. An unauthenticated attacker can exploit this vulnerability to inject malicious web scripts into pages, which will execute when a victim accesses the compromised page. To successfully exploit this vulnerability, the perpetrator must possess the professional version of the plugin or higher.

Affected Version(s)

Calculated Fields Form * <= 5.1.56

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/calculated-fields-form/#dev...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 13, 2024
Vulnerability Reserved
Feb 29, 2024

Credit

Asaf Mozes