Calculated Fields Form Vulnerability – Unauthenticated Stored Cross-Site Scripting – CVE-2024-2020 | WordPress Plugin Vulnerability Report

Plugin Name: Calculated Fields Form

Key Information:

  • Software Type: Plugin
  • Software Slug: calculated-fields-form
  • Software Status: Active
  • Software Author: codepeople
  • Software Downloads: 6,626,617
  • Active Installs: 60,000
  • Last Updated: March 1, 2024
  • Patched Versions: 5.1.57
  • Affected Versions: <= 5.1.56

Vulnerability Details:

  • Name: Calculated Fields Form Professional <= 5.1.56
  • Title: Unauthenticated Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-2020
  • CVSS Score: 7.2
  • Publicly Published: March 1, 2024
  • Researcher: Asaf Mozes
  • Description: The Calculated Fields Form plugin, a widely utilized tool for creating dynamic forms in WordPress, has been identified with a significant security vulnerability in versions up to 5.1.56. This Stored Cross-Site Scripting (XSS) vulnerability arises from the plugin's handling of the form page href parameter, lacking adequate input sanitization and output escaping. Consequently, unauthenticated attackers can execute arbitrary web scripts on affected pages, impacting any user who accesses these pages. This vulnerability specifically impacts the professional version of the plugin or higher.


The Calculated Fields Form plugin harbors a critical vulnerability in versions up to and including 5.1.56, enabling Unauthenticated Stored Cross-Site Scripting attacks. This vulnerability has been effectively addressed in version 5.1.57, bolstering the security of the plugin against such exploits.

Detailed Overview:

Discovered by security researcher Asaf Mozes, this vulnerability underscores the imperative need for stringent input validation and output encoding in web development, especially in plugins facilitating user inputs and dynamic content creation. The exploitation of this flaw could lead to unauthorized script execution, compromising site integrity and user data. The release of patch 5.1.57 by the Calculated Fields Form development team is a pivotal step in mitigating this risk and safeguarding WordPress installations utilizing this plugin.

Advice for Users:

  • Immediate Action: Users of the Calculated Fields Form plugin are urged to update to the patched version, 5.1.57, promptly to secure their sites against potential XSS attacks.
  • Check for Signs of Vulnerability: Administrators should remain vigilant for any unusual site behavior or unauthorized content alterations, which may indicate the exploitation of this vulnerability.
  • Alternate Plugins: While the patched version addresses this issue, users might also consider exploring alternative form creation plugins that consistently demonstrate a strong commitment to security.
  • Stay Updated: Regularly updating all WordPress plugins and themes is essential in protecting against known vulnerabilities and maintaining a secure online presence.


The identification and prompt resolution of the Unauthenticated Stored Cross-Site Scripting vulnerability in the Calculated Fields Form plugin highlight the ongoing challenges in web security. This incident serves as a crucial reminder of the importance of regular software updates and proactive security measures in safeguarding digital assets. For small business owners and website operators, prioritizing these practices is fundamental in protecting their digital presence and maintaining user trust in an increasingly interconnected digital environment.


In today's digital age, where WordPress powers a significant portion of the web, the security of plugins becomes paramount for website owners and developers. The recent discovery of a vulnerability in the Calculated Fields Form plugin, identified as CVE-2024-2020, has cast a spotlight on the continuous threat landscape that online platforms navigate. This plugin, esteemed for its dynamic form creation capabilities, is a critical tool for over 60,000 websites, making any security flaw within it a matter of widespread concern.

Calculated Fields Form: A Vital Tool for Dynamic Forms

Calculated Fields Form has established itself as a versatile plugin within the WordPress ecosystem, enabling users to create forms that perform real-time calculations. Developed by codepeople, it boasts over 6.6 million downloads, underscoring its popularity and utility. The plugin's ability to enhance user interaction and data collection on websites makes it an invaluable asset for business owners, especially those without extensive coding knowledge.

Unveiling the Vulnerability: CVE-2024-2020

CVE-2024-2020 reveals a critical Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability present in versions of the Calculated Fields Form plugin up to 5.1.56. This flaw stems from inadequate input sanitization and output escaping concerning the form page href parameter, allowing attackers to inject malicious scripts executed by unsuspecting users. Publicly disclosed by researcher Asaf Mozes on March 1, 2024, this vulnerability poses a significant risk, particularly in the professional version of the plugin, where the complexity of forms and the data processed are typically greater.

Potential Risks and Impacts

The implications of this vulnerability are multifaceted, ranging from compromised site integrity to unauthorized access to sensitive user data. For small business owners, the breach could lead to a loss of customer trust, reputational damage, and potential legal ramifications, especially if personal data is exposed or manipulated.

Mitigating the Threat

In response to CVE-2024-2020, the developers of Calculated Fields Form promptly issued patch 5.1.57, effectively neutralizing the threat posed by this vulnerability. Users are strongly encouraged to update their plugin to this latest version to ensure their site's security. Additionally, routine checks for unusual site behavior and unauthorized content changes can help in early detection of potential exploits.

Navigating Past Vulnerabilities

This is not the plugin's first encounter with security issues; there have been 8 reported vulnerabilities since March 2, 2015. Each instance has provided valuable insights into the evolving nature of cyber threats and the importance of a proactive approach to web security.

The Imperative of Vigilance

The incident underscores a crucial lesson for all small business owners and WordPress users: the importance of staying vigilant and keeping all components of their websites, especially plugins, up to date. In an era where cyber threats are ever-evolving, the security of digital assets cannot be taken for granted. Regular updates, coupled with a keen eye on security advisories, are fundamental in fortifying online platforms against potential breaches. For those juggling the myriad responsibilities of running a business, prioritizing the security of their digital presence is not just a best practice but a necessity for safeguarding their operations, reputation, and the trust of their users in the interconnected digital marketplace.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Leave a Comment