Calculated Fields Form Vulnerability- Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-0963 | WordPress Plugin Vulnerability Report

Plugin Name: Calculated Fields Form

Key Information:

  • Software Type: Plugin
  • Software Slug: calculated-fields-form
  • Software Status: Active
  • Software Author: codepeople
  • Software Downloads: 6,585,834
  • Active Installs: 60,000
  • Last Updated: February 12, 2024
  • Patched Versions: 1.2.53
  • Affected Versions: <= 1.2.52

Vulnerability Details:

  • Name: Calculated Fields Form <= 1.2.52
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-0963
  • CVSS Score: 6.4
  • Publicly Published: February 1, 2024
  • Researcher: Richard Telleng (stueotue)
  • Description: The Calculated Fields Form plugin for WordPress, known for its functionality to create dynamic forms with calculated fields, has been identified with a Stored Cross-Site Scripting vulnerability in versions up to and including 1.2.52. The vulnerability arises from insufficient input sanitization and output escaping within the 'location' attribute of the plugin's CP_CALCULATED_FIELDS shortcode. Authenticated users with contributor-level permissions or higher can exploit this flaw to inject and execute arbitrary web scripts on pages, potentially compromising site integrity and user security.


The Calculated Fields Form plugin, an essential tool for WordPress sites requiring dynamic form functionality, has a critical security flaw in versions up to 1.2.52. This vulnerability allows for Stored Cross-Site Scripting, posing significant risks to site security. The issue has been addressed in the newly released patch, version 1.2.53.

Detailed Overview:

Discovered by security researcher Richard Telleng, this vulnerability highlights the importance of stringent input validation and output encoding practices. The flaw specifically targets the plugin's shortcode functionality, a common feature in WordPress plugins, underscoring the potential for widespread impact. The ability for attackers to execute scripts poses threats ranging from data theft to complete site compromise. The prompt release of a patch reflects the critical nature of the vulnerability and the need for immediate action by website administrators.

Advice for Users:

  • Immediate Action: Upgrade to version 1.2.53 at the earliest to close the security gap.
  • Check for Signs of Vulnerability: Regularly review your site for unexpected content changes or user complaints, which might indicate exploitation.
  • Alternate Plugins: Consider evaluating other form builder plugins with similar features but ensure they are also up-to-date and secure.
  • Stay Updated: Make it a habit to keep all your WordPress plugins, themes, and the core updated to the latest versions to mitigate vulnerability risks.


The swift action taken by the developers of the Calculated Fields Form plugin to release a patch underscores the vital role of ongoing vigilance and prompt updates in maintaining website security. By updating to version 1.2.53, users can protect their WordPress installations from potential exploitation. This incident serves as a reminder of the ever-present need for proactive security measures in the digital landscape.


In the fast-paced digital world, the security of your website is paramount. The discovery of a significant vulnerability in the "Calculated Fields Form" WordPress plugin—CVE-2024-0963—serves as a stark reminder of the ever-present cyber threats. This plugin, revered for its ability to create dynamic forms, is a staple for many WordPress sites, making the impact of such vulnerabilities far-reaching.

Plugin Overview:

"Calculated Fields Form" is a versatile tool enabling site owners to build forms with dynamically calculated fields, ideal for quotations, bookings, and more. With over 6 million downloads and 60,000 active installations, its widespread use underlines the potential scale of the threat posed by the recent security flaw.

Vulnerability Insights:

The vulnerability, identified in versions up to and including 1.2.52, was uncovered by researcher Richard Telleng. It arises from insufficient sanitization and escaping within the 'location' attribute of the CP_CALCULATED_FIELDS shortcode, allowing attackers with contributor-level access or higher to inject harmful scripts. This Stored Cross-Site Scripting (XSS) vulnerability, cataloged as CVE-2024-0963 with a CVSS score of 6.4, exposes websites to various risks including data breaches, unauthorized access, and a tarnished reputation due to compromised site integrity.

Potential Risks and Impacts:

The exploitation of this vulnerability could lead to severe consequences, such as theft of sensitive data, unauthorized changes to website content, and distribution of malware to unsuspecting users. The breach of trust between a website and its users can have long-lasting effects, damaging the credibility and reliability of the site in the eyes of its visitors.

Remediation Steps:

To mitigate the risks, it's crucial to update the plugin to the patched version, 1.2.53, immediately. Website owners should also conduct thorough reviews for any unusual activities or content alterations that may indicate the site's compromise. Keeping all components of a WordPress site updated, including themes and other plugins, is essential in maintaining a secure online presence.

Historical Context:

This is not the plugin's first encounter with security issues; there have been 7 previous vulnerabilities reported since March 2, 2015. This history emphasizes the importance of continuous vigilance and the need for an ongoing commitment to security practices.

Concluding Thoughts:

For small business owners, the task of continuously monitoring and updating a WordPress site may seem daunting amidst myriad other responsibilities. However, the security of your website should never be an afterthought. Ignoring updates can leave your site vulnerable to attacks, jeopardizing not only your data but also your reputation and the trust of your users. Implementing routine security checks and updates is a critical investment in your business's online health and longevity. Leveraging managed WordPress hosting services or employing security plugins can alleviate some of the burdens, ensuring that your site remains secure even when your focus is needed elsewhere.

In the digital age, staying ahead of potential threats through proactive security measures is not just advisable; it's imperative for safeguarding your digital footprint and maintaining the trust of those who visit your online space.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Calculated Fields Form Vulnerability- Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-0963 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment