Question 1

What exactly is the vulnerability in Calculated Fields Form?

Accepted Answer

What exactly is the vulnerability in Calculated Fields Form?

The vulnerability is a stored cross-site scripting (XSS) issue tracked as CVE-2023-6446 affecting versions up to and including 1.2.40. Due to insufficient input validation and output encoding, an attacker with admin access can inject malicious scripts into the database or files. These will execute when certain pages are loaded.

This makes it possible for the attacker to steal data, deface sites, launch more attacks, and more. It allows them to control parts of the website seen by its visitors. Since it is a stored vulnerability, the malicious scripts persist in the database rather than needing repeated exploitation.

Question 2

How severe is this vulnerability in Calculated Fields Form?

Accepted Answer

How severe is this vulnerability in Calculated Fields Form?

The vulnerability is considered medium severity with a CVSS base score of 4.4 out of 10. While serious, it requires an attacker to already have admin access. The scripts also only run when visitors load affected pages.

So while it allows for significant impact, the barriers to initial exploitation mean it is not rated as critical. The ease of updating to the patched version also lowers overall severity. But medium issues should still be addressed quickly to avoid potential attacks.

Question 3

What versions of Calculated Fields Form are affected?

Accepted Answer

What versions of Calculated Fields Form are affected?

All versions up to and including 1.2.40 contain the vulnerability. Site owners running those releases need to update. Version 1.2.41 has implemented input filtering defenses to close the issue.

So you should update your Calculated Fields Form plugin to 1.2.41 or newer as soon as possible.

Question 4

Does updating the plugin version fix the issue?

Accepted Answer

Does updating the plugin version fix the issue?

Yes, the developers have patched the vulnerability in release 1.2.41. By updating your site to this patched version, you can fully mitigate the security issue.

The update process only takes a few minutes through the WordPress dashboard. So applying this update is by far the best way to secure sites currently running vulnerable Calculated Fields Form plugin versions.

Question 5

What other steps should I take beyond updating?

Accepted Answer

What other steps should I take beyond updating?

It is also wise to directly check your database, files, and logs for any indicators of unauthorized changes after updating. That will reveal if your site was already compromised.

If malicious scripts or redirects are present, you will need to remove those changes in addition to updating to fully clean an exploited site. Also review all users with admin access to see if any unauthorized accounts were added.

Question 6

Are other form builder plugins vulnerable?

Accepted Answer

Are other form builder plugins vulnerable?

As far as we know, no. This vulnerability is unique to flaws in Calculated Fields Form's code up through version 1.2.40. Other popular form plugins like Contact Form 7 and Gravity Forms are not reported to suffer the same issues.

Switching form plugin vendors avoids potential future vulnerabilities that may arise in Calculated Fields Form. But for now, simply updating Calculated Fields Form resolves this current vulnerability.

Question 7

Why wasn’t this vulnerability discovered during testing?

Accepted Answer

Why wasn’t this vulnerability discovered during testing?

It seems the vulnerability was only exposed through very specific multipage form builds that were not part of the plugin’s test cases. So the flaw in input sanitization and output encoding went undetected.

This emphasizes why ongoing security research and responsible disclosure processes are so important to find narrow issues that developers may have overlooked.

Question 8

Is Calculated Fields Form still safe to use?

Accepted Answer

Is Calculated Fields Form still safe to use?

Yes, now that version 1.2.41 patches this vulnerability, the plugin is safe to continue using assuming sites are updated. The developers have a solid track record of promptly fixing security issues.

Site owners who stay current on releases should feel comfortable sticking with Calculated Fields Form, especially if already relying heavily on it. But periodically evaluating alternate form plugins is also reasonable.

Question 9

What could happen if I don't update?

Accepted Answer

What could happen if I don't update?

If left outdated and vulnerable, attackers who gain admin access to your site may be able to leverage this issue to compromise your site. They could steal data, launch further attacks on visitors, deface content, break functionality, and essentially gain significant control.

So it is quite risky running vulnerable versions in internet-facing production sites. Updating is critical and only takes minutes to prevent these potential attacks.

Question 10

Why do vulnerabilities happen so often in WordPress plugins?

Accepted Answer

Why do vulnerabilities happen so often in WordPress plugins?

The open source nature of WordPress and its over 55,000 plugins means code issues can be introduced unintentionally. The scale of the development ecosystem makes complete security testing difficult. Code flaws inevitably slip through which researchers later discover.

Staying current on releases and disclosures is challenging but necessary with open source software. This is why our team of experts closely tracks vulnerabilities across plugins to immediately notify customers of updates needed to remain secure.

Patch

WordPress Plugin Vulnerability Report – Calculated Fields Form – Authenticated (Admin+) Stored Cross-Site Scripting – CVE-2023-6446

WordPress Plugin Vulnerability Report – MW WP Form – Unauthenticated Arbitrary File Upload – CVE-2023-6316

WordPress Plugin Vulnerability Report – AMP for WP – Accelerated Mobile Pages – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode – CVE-2023-48321

WordPress Plugin Vulnerability Report – SiteOrigin Widgets Bundle – Authenticated (Admin+) Local File Inclusion – CVE-2023-6295

WordPress Plugin Vulnerability Report – BackWPup – Authenticated (Administrator+) Directory Traversal – CVE-2023-5504

WordPress Plugin Vulnerability Report – Analytify – Cross-Site Request Forgery

WordPress Plugin Vulnerability Report – EmbedPress – Draft Vulnerability

WordPress Plugin Vulnerability Report – wpDiscuz – Authenticated (Administrator+) Stored Cross-Site Scripting

WordPress Plugin Vulnerability Report – Paid Memberships Pro – Authenticated (Subscriber+) Arbitrary File Upload – CVE-2023-6187

WordPress Plugin Vulnerability Report – Social Warfare – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode – CVE-2023-4842

Recent Blog Posts

LiteSpeed Cache Vulnerability – Unauthenticated Sensitive Information Exposure via Log Files – CVE-2024-44000 | WordPress Plugin Vulnerability Report

Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Parameters – CVE-2024-4401, CVE-2024-7122 | WordPress Plugin Vulnerability Report

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Vulnerability – Authenticated (Contributor+) Information Disclosure – CVE-2024-7418 | WordPress Plugin Vulnerability Report

Additional Resources

About Your WP Guy