Calculated Fields Form is a WordPress plugin that enables users to create custom forms with calculated fields, ideal for use in forms that require mathematical calculations such as price estimators, financial forms, and surveys. While the plugin offers a lot of flexibility and customization options, it also contains a critical vulnerability (CVE-2024-13382). This vulnerability allows attackers to inject malicious JavaScript into form fields, which can then be executed by users interacting with the form. The result of exploiting this vulnerability is a potential backdoor access, allowing attackers to perform actions such as account takeover and unauthorized administrative control of the website. This issue impacts versions of the plugin with 50k+ installations, posing a serious security risk to many WordPress sites.
CVE-2024-13382 – Calculated Fields Form – Stored XSS to JS Backdoor Creation – POC
