Calculated Fields Form is a versatile WordPress plugin that lets users design dynamic forms with live calculations, sliders, and conditional logic. With more than 60,000 active installations, it powers everything from loan calculators to interactive quizzes. However, a severe security flaw—CVE-2024-13381—has been discovered in the plugin’s Slider block configuration. This vulnerability allows an editor to inject persistent JavaScript into form captions, which executes whenever the form is previewed, creating an avenue for backdoor creation and full administrative takeover.
| CVE | CVE-2024-13381 |
| Calculated Fields Form < 5.2.62 | |
| Critical | High |
| All Time | 8 954 083 |
| Active installations | 50 000+ |
| Publicly Published | May 30, 2025 |
| Last Updated | May 30, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13381 https://wpscan.com/vulnerability/da099e52-7f7b-4d76-a0bc-a46315510e0a/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| December 6, 2024 | Plugin testing and vulnerability detection in the Calculated Fields Form have been completed |
| December 6, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| May 30, 2025 | Registered CVE-2024-13381 |
Discovery of the Vulnerability
During a security audit focused on widget and block input sanitization, researchers identified that the “Field Caption”attribute of the Slider block did not properly escape HTML. By preceding a malicious <img> tag with a > character injected into the “Max” field, an attacker could break out of the expected attribute context and store an XSS payload in the database. When the form is later rendered or previewed, the plugin outputs this caption directly into the DOM without escaping, triggering the script.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities arise when user-supplied content is rendered without proper sanitization or escaping. In WordPress, Stored XSS is particularly dangerous, as payloads persist across sessions and affect every visitor or administrator who encounters the compromised element. Past real-world incidents, such as XSS in Contact Form 7 and Ninja Forms, have shown how attackers leverage form fields and validation messages to inject scripts that steal cookies, create rogue admin users, or deliver malware. CVE-2024-13381 similarly exploits a trusted plugin interface to execute arbitrary JavaScript.
Exploiting the XSS Vulnerability
To exploit CVE-2024-13381, an attacker with editor+ privileges:
POC:
1) You should create a new form and add here "Slider" block. 2) Replace "Max" field to "> and Field Caption field to <img src=x onerror=alert(1)> 3) Save Settings 4) To trigger XSS you should preview form____
The implications of CVE-2024-13381 are grave. An attacker can use this vulnerability to achieve:
- Administrator Account Compromise: By stealing session cookies or forging REST API requests to create a new admin user.
- Data Exfiltration: Extracting sensitive site data or credentials via
fetch()calls embedded in the XSS payload. - Persistent Backdoor: Loading remote JavaScript files that remain active across page loads, fully under attacker control.
In high‑traffic environments—eCommerce stores, membership sites, or enterprise portals—the risk is magnified. Attackers could redirect customers to phishing pages, alter pricing details, or deface the site, resulting in both financial and reputational damage.
Recommendations for Improved Security
Patch Immediately: Update Calculated Fields Form to the version that fixes CVE-2024-13381.
Sanitize Slider Inputs: Developers should enforce strict sanitization on all slider fields using WordPress functions like sanitize_text_field() for attributes and esc_html() for captions.
Escape Output: Wrap dynamic content in esc_attr() or wp_kses_post() before rendering in the front end or back end.
Review User Capabilities: Limit Editor access to form-building features or disable unfiltered_html to reduce the attack surface.
Implement CSP: Deploy a Content Security Policy to disallow inline scripts and mitigate XSS risks.
To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-13381 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.