Calculated Fields Form is a WordPress plugin that enables users to create custom forms with calculated fields, ideal for use in forms that require mathematical calculations such as price estimators, financial forms, and surveys. While the plugin offers a lot of flexibility and customization options, it also contains a critical vulnerability (CVE-2024-13382). This vulnerability allows attackers to inject malicious JavaScript into form fields, which can then be executed by users interacting with the form. The result of exploiting this vulnerability is a potential backdoor access, allowing attackers to perform actions such as account takeover and unauthorized administrative control of the website. This issue impacts versions of the plugin with 50k+ installations, posing a serious security risk to many WordPress sites.
| CVE | CVE-2024-13382 |
| Plugin | Calculated Fields Form |
| Critical | High |
| All Time | 8 324 535 |
| Active installations | 50 000+ |
| Publicly Published | March 11, 2025 |
| Last Updated | March 11, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13382 https://wpscan.com/vulnerability/925de4af-fc71-45ae-8454-7e4f70be13ca/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| December 13, 2024 | Plugin testing and vulnerability detection in the Calculated Fields Form have been completed |
| December 13, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 11, 2025 | Registered CVE-2024-13382 |
Discovery of the Vulnerability
The vulnerability was identified in the “GDPR” block of the plugin’s form builder, where users can input data for compliance purposes. Specifically, the issue arises in the “Field label” setting, where users are allowed to insert custom text. However, the plugin does not properly sanitize or escape this input, making it vulnerable to malicious script injections. By embedding JavaScript code in the “Field label” field, an attacker can inject a payload like <img src=x onerror=alert(1)>. This script is stored in the database and executed whenever a user previews or interacts with the form, potentially leading to the execution of arbitrary JavaScript within the user’s browser.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a type of vulnerability that allows attackers to inject malicious scripts into web applications, which are then executed in the context of a user’s browser. This type of attack can result in the theft of sensitive information, session hijacking, and even the complete compromise of a website. In WordPress, XSS vulnerabilities are common in plugins and themes that allow users to submit content without proper validation or sanitization of input fields. For example, in CVE-2020-2559, an XSS vulnerability was found in the popular plugin WPForms, which allowed attackers to inject malicious JavaScript into form fields, leading to unauthorized access. Similarly, CVE-2024-13382 in Calculated Fields Form allows attackers to inject malicious code through the form’s label settings, leading to serious security implications.
Exploiting the XSS Vulnerability
To exploit CVE-2024-13382, an attacker with editor+ privileges:
POC:
1) You should create a new form and add here "GDPR" block. 2) Replace "Field label" field to <img src=x onerror=alert(1)>&aaaa 3) Save Settings 4) To trigger XSS you should preview form____
The risks associated with CVE-2024-13382 are significant, particularly for websites with a high level of user interaction, such as e-commerce or membership sites. If an attacker successfully exploits this vulnerability, they could hijack an administrator’s session, gaining full control over the WordPress site. This could lead to unauthorized actions, such as installing malware, stealing sensitive user data, or modifying site content. In a real-world scenario, an attacker could use this vulnerability to create a backdoor admin account, ensuring persistent access to the site even if the vulnerability is patched. Additionally, the attacker could exploit the XSS vulnerability to deface the website, inject malicious content, or deliver phishing attacks to unsuspecting users.
Recommendations for Improved Security
To mitigate the risks posed by CVE-2024-13382, administrators should update the Calculated Fields Form plugin to the latest version as soon as a patch is released. Additionally, administrators should limit the capabilities of non-admin users, especially editors, to ensure that they cannot inject potentially malicious content into form fields. Proper input sanitization and validation should be applied to all user-generated content, especially fields that appear on the frontend, like form labels. WordPress developers should use functions like sanitize_text_field() and wp_kses() to sanitize and escape user input. Administrators can also implement Content Security Policies (CSP) to restrict the execution of unauthorized scripts. Regular security audits should also be conducted to identify and address any vulnerabilities in third-party plugins. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-13382, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.