WordPress Plugin Vulnerability Report – Calculated Fields Form – Authenticated (Admin+) Stored Cross-Site Scripting – CVE-2023-6446

Plugin Name: Calculated Fields Form

Key Information:

  • Software Type: Plugin
  • Software Slug: calculated-fields-form
  • Software Status: Active
  • Software Author: codepeople
  • Software Downloads: 6,352,767
  • Active Installs: 60,000
  • Last Updated: December 5, 2023
  • Patched Versions: 1.2.41
  • Affected Versions: <= 1.2.40

Vulnerability Details:

  • Name: Calculated Fields Form <= 1.2.40 - Authenticated (Admin+) Stored Cross-Site Scripting
  • Title: Authenticated (Admin+) Stored Cross-Site Scripting
  • Type: Improper Neutralization of Alternate XSS Syntax
  • CVE: CVE-2023-6446
  • CVSS Score: 4.4 (Medium)
  • Publicly Published: December 5, 2023
  • Researcher: emad
  • Description: The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.


The Calculated Fields Form for WordPress has a vulnerability in versions up to and including 1.2.40 that allows authenticated attackers with admin privileges to inject malicious scripts that will execute when pages are loaded. This vulnerability has been patched in version 1.2.41.

Detailed Overview:

Researcher emad disclosed an authenticated stored cross-site scripting vulnerability in the popular Calculated Fields Form plugin in versions up to and including 1.2.40. Due to insufficient sanitization of input and escaping of output in the admin settings, an attacker with admin privileges can store malicious scripts that will execute whenever a user views an affected page. This vulnerability is categorized as medium severity with a CVSS score of 4.4. It has been addressed in version 1.2.41 through improved input validation and output encoding.

Advice for Users:

  1. Immediate Action: Update to version 1.2.41 or newer as soon as possible.
  2. Check for Signs of Vulnerability: Review your site for unexpected scripts or redirection. Revoke admin access if unauthorized changes detected.
  3. Alternate Plugins: Consider alternative form builder plugins like Contact Form 7 or Gravity Forms.
  4. Stay Updated: Enable automatic updates for plugins to get vulnerability fixes quickly.


This vulnerability further stresses the importance of timely security updates. Users should install version 1.2.41 or newer of Calculated Fields Form, or consider alternate plugins, to protect their WordPress sites.




Detailed Report:

Keeping your WordPress website secure should be a top priority – vulnerabilities in plugins can open up your site to attacks if left unpatched. One popular plugin, Calculated Fields Form, was recently disclosed to have a stored cross-site scripting (XSS) vulnerability making sites running outdated versions susceptible to malicious code injection.

Calculated Fields Form is a widely used plugin with over 6 million downloads and 60,000 active installs. It allows forms to perform complex calculations and create dynamic forms for user input. The plugin is actively maintained by developers codepeople and usually quick to address security issues.

However, researcher emad recently disclosed a medium severity vulnerability tracked as CVE-2023-6446 affecting Calculated Fields Form versions up to and including 1.2.40. Due to insufficient input sanitization, an attacker with admin privileges can inject malicious scripts into the database that will execute when certain pages load. This could allow them to steal data, deface sites, launch further attacks on visitors, and more.

While alarming, this risk can be easily addressed. The developers have patched the plugin in version 1.2.41, closing the vulnerability through improved input validation and output encoding. Users simply need to update to the latest version, which will take just a few minutes. There have been 5 previous vulnerabilities patched over time, so the development team has experience creating these security fixes.

In addition to updating, site owners should scan their database and files for unauthorized code injections. If detections occur, all admin accounts should be reviewed and unauthorized changes reverted. Alternatively, switching to other validated form builder plugins like Contact Form 7 or Gravity Forms avoids the risks of this particular plugin.

Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.

Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.

WordPress Plugin Vulnerability Report - Calculated Fields Form - Authenticated (Admin+) Stored Cross-Site Scripting - CVE-2023-6446 FAQs

Leave a Comment