Stored Cross-Site Scripting in Calculated Fields Form for WordPress
CVE-2026-3986

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Calculated Fields Form
Vendor: CVE Published:; 13 March 2026

What is CVE-2026-3986?

The Calculated Fields Form plugin for WordPress is susceptible to Stored Cross-Site Scripting vulnerabilities due to inadequate capability checks and insufficient input sanitization in specific form settings. This flaw allows authenticated users with Contributor-level access and above to inject malicious scripts through the form settings, leading to the execution of these scripts on web pages whenever accessed by users. This could potentially expose users to various security threats, highlighting the need for prompt updates and improved security measures.

Affected Version(s)

Calculated Fields Form 0 <= 5.4.5.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/calculated-fie...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 13, 2026
Vulnerability Reserved
Mar 11, 2026

Credit

Hunter Jensen

CVE-2026-3986 Data

JSON