PT-2026-25161 · Codepeople · Calculated Fields Form
Hunter Jensen
·
Publicado
2026-03-13
·
Atualizado
2026-03-13
·
CVE-2026-3986
CVSS v3.1
6.4
Média
| Vetor | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Calculated Fields Form plugin for WordPress versions up to and including 5.4.5.0
Description
The Calculated Fields Form plugin for WordPress is susceptible to Stored Cross-Site Scripting through the form settings. This is caused by inadequate capability checks during the form settings save process and insufficient sanitization of the
fcontent field within fhtml field types. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which will execute when a user accesses the affected page. The vulnerable component is the form settings save handler. The vulnerable parameter is fcontent.Recommendations
Update the Calculated Fields Form plugin to a version later than 5.4.5.0.
Correção
XSS
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Calculated Fields Form