WordPress Plugin Vulnerabilities

Caldera Forms <= 1.5.4 - Authenticated Cross-Site Scripting (XSS)

Description

Version 1.5.4 and earlier of Caldera Forms is vulnerable to a reflected cross-site scripting vulnerability in the "edit" parameter, which is not properly escaped before being printed in an HTML attribute. An attacker can use this to craft URLs that, when clicked, result in malicious JavaScript being executed. Because Caldera Forms uses 'wp_rest' nonces to access the WordPress REST API – a common practice among plugin developers – this Javascript may include anything the user is capable of doing in the REST API.

Proof of Concept

Affects Plugins

Plugin icon
caldera-forms
Fixed in 1.5.5

References

URL
https://calderaforms.com/updates/caldera-forms-1-5-5/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Submitter
Will Brand
Submitter twitter
wrbrand
Verified
No
WPVDB ID
c70219da-eab2-4d0b-ac5a-77f6d565ef31

Timeline

Publicly Published
2017-09-08 (about 8 years ago)
Added
2017-10-30 (about 8 years ago)
Last Updated
2021-01-19 (about 5 years ago)

Other

Published
Title
Published
2025-06-05
Title
YouTube Simple Gallery <= 2.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-07-25
Title
Ninja Forms < 3.6.26 - Reflected Cross-Site Scripting
Published
2025-10-21
Title
Responsive iframe GoogleMap <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2022-04-07
Title
Visual Form Builder < 3.0.7 - Admin+ Stored Cross-Site Scripting
Published
2025-08-14
Title
WP Pipes <= 1.4.3 - Reflected Cross-Site Scripting