Calculated Fields Form Vulnerability- Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-0963 | WordPress Plugin Vulnerability Report
Plugin Name: Calculated Fields Form
Key Information:
- Software Type: Plugin
- Software Slug: calculated-fields-form
- Software Status: Active
- Software Author: codepeople
- Software Downloads: 6,585,834
- Active Installs: 60,000
- Last Updated: February 12, 2024
- Patched Versions: 1.2.53
- Affected Versions: <= 1.2.52
Vulnerability Details:
- Name: Calculated Fields Form <= 1.2.52
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-0963
- CVSS Score: 6.4
- Publicly Published: February 1, 2024
- Researcher: Richard Telleng (stueotue)
- Description: The Calculated Fields Form plugin for WordPress, known for its functionality to create dynamic forms with calculated fields, has been identified with a Stored Cross-Site Scripting vulnerability in versions up to and including 1.2.52. The vulnerability arises from insufficient input sanitization and output escaping within the 'location' attribute of the plugin's CP_CALCULATED_FIELDS shortcode. Authenticated users with contributor-level permissions or higher can exploit this flaw to inject and execute arbitrary web scripts on pages, potentially compromising site integrity and user security.
Summary:
The Calculated Fields Form plugin, an essential tool for WordPress sites requiring dynamic form functionality, has a critical security flaw in versions up to 1.2.52. This vulnerability allows for Stored Cross-Site Scripting, posing significant risks to site security. The issue has been addressed in the newly released patch, version 1.2.53.
Detailed Overview:
Discovered by security researcher Richard Telleng, this vulnerability highlights the importance of stringent input validation and output encoding practices. The flaw specifically targets the plugin's shortcode functionality, a common feature in WordPress plugins, underscoring the potential for widespread impact. The ability for attackers to execute scripts poses threats ranging from data theft to complete site compromise. The prompt release of a patch reflects the critical nature of the vulnerability and the need for immediate action by website administrators.
Advice for Users:
- Immediate Action: Upgrade to version 1.2.53 at the earliest to close the security gap.
- Check for Signs of Vulnerability: Regularly review your site for unexpected content changes or user complaints, which might indicate exploitation.
- Alternate Plugins: Consider evaluating other form builder plugins with similar features but ensure they are also up-to-date and secure.
- Stay Updated: Make it a habit to keep all your WordPress plugins, themes, and the core updated to the latest versions to mitigate vulnerability risks.
Conclusion:
The swift action taken by the developers of the Calculated Fields Form plugin to release a patch underscores the vital role of ongoing vigilance and prompt updates in maintaining website security. By updating to version 1.2.53, users can protect their WordPress installations from potential exploitation. This incident serves as a reminder of the ever-present need for proactive security measures in the digital landscape.
References:
- Wordfence Vulnerability Report on Calculated Fields Form 1.2.52
- Wordfence Vulnerability Overview for Calculated Fields Form