WordPress Plugin Vulnerabilities

Calculated Fields Form < 1.0.354 - Authenticated Stored XSS

Description

An authenticated user with access to edit or create Calculated Fields Form content can inject javascript into input fields such as ‘field name’ and ‘form name’.

Affects Plugins

Plugin icon
calculated-fields-form
Fixed in 1.0.354

References

CVE
CVE-2020-7228
URL
https://spider-security.co.uk/blog-cve-2020-7228
URL
https://plugins.trac.wordpress.org/changeset/2230479

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Ben Armstrong (Spider Sec Ltd)
Verified
No
WPVDB ID
7f7f9c1c-39af-4494-a3de-eb8fb5728cb1

Timeline

Publicly Published
2020-01-22 (about 6 years ago)
Added
2020-01-22 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2023-02-20
Title
WP Custom Fields Search < 1.2.35 - Admin+ Stored XSS
Published
2025-05-16
Title
Ninja Tables Pro < 5.0.18 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-03-20
Title
Simple Giveaways < 2.45.1 - Admin+ Stored XSS
Published
2022-04-11
Title
Photo Gallery < 1.6.3 - Reflected Cross-Site Scripting
Published
2023-01-02
Title
Qubely < 1.8.5 - Contributor+ Stored XSS