CVE-2026-3986

Name of the Vulnerable Software and Affected Versions Calculated Fields Form plugin for WordPress versions up to and including 5.4.5.0

Description The Calculated Fields Form plugin for WordPress is susceptible to Stored Cross-Site Scripting through the form settings. This is caused by inadequate capability checks during the form settings save process and insufficient sanitization of the fcontent field within fhtml field types. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which will execute when a user accesses the affected page. The vulnerable component is the form settings save handler. The vulnerable parameter is fcontent.

Recommendations Update the Calculated Fields Form plugin to a version later than 5.4.5.0.