WordPress Plugin Vulnerabilities

Calculated Fields Form < 5.3.59 - Cross-Site Request Forgery

Description

The Calculated Fields Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.3.58. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
calculated-fields-form
Fixed in 5.3.59

References

CVE
CVE-2025-49291
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2ca9b3e2-bb3a-44e0-8bff-0c9365449ce4

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Trương Hữu Phúc (truonghuuphuc)
Verified
No
WPVDB ID
53bdcf19-1c55-40bf-bc37-3f9f549d5774

Timeline

Publicly Published
2025-06-05 (about 1 year ago)
Added
2025-06-11 (about 1 year ago)
Last Updated
2025-06-11 (about 1 year ago)

Other

Published
Title
Published
2025-06-02
Title
Contact Forms by Cimatti Plugin < 1.9.9 - Cross-Site Request Forgery
Published
2022-05-12
Title
WP Simple Adsense Insertion < 2.1 - Inject ads and javascript via CSRF
Published
2023-01-13
Title
Hover Image <= 1.4.1 - CSRF
Published
2025-03-24
Title
Custom Script Integration <= 2.1 - Cross-Site Request Forgery
Published
2025-05-07
Title
Sidebar Manager Light <= 1.18 - Cross-Site Request Forgery