Calculated Fields Form WP Plugin (Version <= 1.0.353) Authenticated Stored XSS

Calculated Fields Form WP Plugin (Version <= 1.0.353) Multiple Authenticated Stored XSS

Background

The Calculated Fields Form plugin through 1.0.353 for WordPress suffers from multiple Stored XSS vulnerabilities present in the input forms. These Calculated Fields Form vulnerabilities were discovered during a web application penetration test by a Spider Sec Ltd Consultant.

Technical Details​

An authenticated user with access to edit or create forms can inject javascript into input fields such as ‘field name’ and ‘form name’. This results in the XSS being stored both on the back-end and front-end of the WordPress website. As a result, both users and administrators could be a target if a WordPress website is compromised. However, these vulnerabilities are unlikely to be weaponised due to the level of authentication required to exploit.

Remediation

Update to the latest version of this plugin version 1.0.354

CVE-2020-7228

WPVDB ID 10043