The Calculated Fields Form plugin is a widely adopted WordPress tool used for creating forms with dynamically calculated fields based on user input. With over 50,000 active installations, it powers various contact forms, booking interfaces, quote generators, and more. Despite its powerful features, a significant security vulnerability has been discovered: CVE-2024-12273, a Stored Cross-Site Scripting (XSS) flaw that can be leveraged by an attacker to inject persistent JavaScript code and deploy a full JavaScript-based backdoor. This allows account takeover and, in worst-case scenarios, full administrative compromise.
CVE-2024-12273 – Calculated Fields Form – Stored XSS to JS Backdoor Creation – POC
