WordPress Plugin Vulnerabilities

Calculated Fields Form < 5.2.46 - HTML Injection

Description

The plugin is vulnerable to HTML Injection due to the plugin not properly neutralizing HTML elements from submitted forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views form submissions in their email.

Affects Plugins

Plugin icon
calculated-fields-form
Fixed in 5.2.46

References

CVE
CVE-2024-9940
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e2c9f6a5-8698-4452-bf0a-c1d796b2fdad

Classification

Type
CONTENT INJECTION
OWASP top 10
A1: Injection
CWE
CWE-345
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Max Boll (_b0lli)
Verified
No
WPVDB ID
2c7bc31e-99ac-4a94-857b-ce5190c1608c

Timeline

Publicly Published
2024-10-16 (about 1 year ago)
Added
2024-10-16 (about 1 year ago)
Last Updated
2024-10-16 (about 1 year ago)

Other

Published
Title
Published
2021-09-23
Title
Ark Comment Editor <= 2.15.6 - Iframe Injection via Comment
Published
2026-02-26
Title
Fluent Forms Pro Add On Pack < 6.1.18 - Missing Authorization to Unauthenticated Payment Status modification
Published
2026-02-11
Title
WooODT Lite <= 2.5.2 - Unauthenticated Payment Bypass
Published
2023-12-27
Title
Booster Elite for WooCommerce < 7.1.3 - Subscriber+ Content Injection
Published
2024-06-03
Title
Claudio Sanches – Checkout Cielo for WooCommerce <= 1.1.0 - Insufficient Verification of Data Authenticity to Order Payment Status Update