The Calculated Fields Form plugin is a widely adopted WordPress tool used for creating forms with dynamically calculated fields based on user input. With over 50,000 active installations, it powers various contact forms, booking interfaces, quote generators, and more. Despite its powerful features, a significant security vulnerability has been discovered: CVE-2024-12273, a Stored Cross-Site Scripting (XSS) flaw that can be leveraged by an attacker to inject persistent JavaScript code and deploy a full JavaScript-based backdoor. This allows account takeover and, in worst-case scenarios, full administrative compromise.
| CVE | CVE-2024-12273 |
| Calculated Fields Form < 5.2.62 | |
| Critical | High |
| All Time | 3 444 511 |
| Active installations | 50 000+ |
| Publicly Published | April 22, 2025 |
| Last Updated | April 22, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12273 https://wpscan.com/vulnerability/90333618-2be7-49cf-822a-819699f07977/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| December 5, 2024 | Plugin testing and vulnerability detection in the Calculated Fields Form have been completed |
| December 5, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| April 22, 2025 | Registered CVE-2024-12273 |
Discovery of the Vulnerability
During a focused audit of input handling mechanisms in the plugin’s form configuration, researchers identified that the “HTML Content” block does not sufficiently sanitize user-provided content before rendering it in the backend preview and frontend. Specifically, the plugin allows unescaped HTML/JS content to be stored in form settings and executed later during form preview or user interactions. This improper validation and lack of output escaping provide a clear attack vector for Stored XSS.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) remains one of the most prevalent security risks in the WordPress ecosystem. In the Stored XSS variant, malicious payloads are persistently saved in the database and triggered later when rendered by users or admins. In WordPress, this becomes particularly dangerous when roles like Editor or Contributor can access plugin configurations or submit post content that later gets parsed with insufficient sanitation.
Exploiting the XSS Vulnerability
To exploit CVE-2024-12273, an attacker with editor+ privileges:
POC:
You should create a new form and add here "HTML Content" block. Replace "HTML Content" field to <img src=x onerror=alert(1)> -> Save Settings -> To trigger XSS you should 1) reload page; 2) go to preview (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risk associated with CVE-2024-12273 is high. An attacker with only editor-level privileges could easily escalate their access by:
- Injecting a hidden admin creation backdoor
- Installing rogue plugins or modifying theme files
- Hijacking active sessions of logged-in administrators
- Altering payment, login, or booking forms to steal credentials or redirect users
If this vulnerability is chained with additional privilege escalation bugs, it could even allow unauthenticated remote code execution.
In real-world breaches, this would be used for persistent compromise of a WordPress site, often to inject SEO spam, redirect traffic, or embed crypto miners..
Recommendations for Improved Security
Update the plugin: Ensure the Calculated Fields Form plugin is upgraded to the latest patched version addressing CVE-2024-12273.
Enforce HTML sanitation: Developers should apply strict sanitation functions such as wp_kses_post() or esc_html()before rendering user-generated content.
Restrict plugin access: Only admin-level users should be allowed to modify form blocks containing HTML or JavaScript.
Deploy Content Security Policy (CSP) headers to limit execution of inline scripts.
Audit user roles regularly to ensure minimal privileges are granted to non-trusted users.conduct a full review of all widget content if this plugin was used by multiple users, and rotate administrator credentials in case of suspected compromise.
To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-12273, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.