Calculated Fields Form < 1.2.41 – Authenticated (Admin+) Stored Cross-Site Scripting | CVE 2023-6446 | Plugin Vulnerabilities

Description

The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

calculated-fields-form

Fixed in 1.2.41

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c879123c-531e-43d8-a7d3-16a3c86b68a3

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

emad

Verified

No

WPVDB ID

39c391a1-a7b2-47a3-928b-99fed5ee69fa

Timeline

Publicly Published

2023-12-05 (about 2 years ago)

Added

2023-12-07 (about 2 years ago)

Last Updated

2023-12-07 (about 2 years ago)

Other

Published

Title

Published

2023-05-25

Title

Google Map Shortcode <= 3.1.2 - Contributor+ Stored XSS

Published

2021-09-09

Title

WordPress 5.4 to 5.8 - Authenticated XSS in Block Editor

Published

2024-11-27

Title

Awesome Event Booking < 2.7.2 - Reflected Cross-Site Scripting

Published

2023-08-30

Title

NotifyVisitors <= 1.0 - Admin+ Stored XSS

Published

2025-02-21

Title

Better Customer List for WooCommerce <= 1.2.3 - Reflected Cross-Site Scripting