WordPress Plugin Vulnerabilities

Calculated Fields Form < 1.1.151 - Admin+ Stored Cross-Site Scripting via Dropdown Fields

Description

The plugin does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Partial fixes were implemented in versions 1.1.148, 1.1.150, and 1.1.151.

Proof of Concept

Affects Plugins

Plugin icon
calculated-fields-form
Fixed in 1.1.151

References

CVE
CVE-2023-0389

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Numan Rajkotiya
Submitter
Numan Rajkotiya
Submitter twitter
nmmcon
Verified
Yes
WPVDB ID
090a3922-febc-4294-82d2-d8339d461893

Timeline

Publicly Published
2023-01-17 (about 2 years ago)
Added
2023-02-22 (about 2 years ago)
Last Updated
2023-02-22 (about 2 years ago)

Other

Published
Title
Published
2024-01-05
Title
Happy Addons for Elementor (Free < 3.10.0, Pro < 2.10.0) - Reflected Cross-Site Scripting
Published
2025-07-30
Title
GiveWP – Donation Plugin and Fundraising Platform < 4.6.0 - Authenticated (GiveWP worker+) Stored Cross-Site Scripting
Published
2022-10-17
Title
Gutenberg < 14.3.1 - Multiple Stored XSS
Published
2022-09-06
Title
WP Socializer < 7.3 - Admin+ Stored Cross-Site Scripting
Published
2023-08-11
Title
Avartan Slider Lite <= 1.5.3 - Reflected XSS