The Calculated Fields Form WordPress plugin before 5.2.64 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
2025-05-15T20:15:39.147
2025-05-23T18:51:39.150
Analyzed
CVSSv3.1: 4.8 (MEDIUM)
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | codepeople | calculated_fields_form | ≤ 5.2.64 | Yes |