CVE-2024-9940

The Calculated Fields Form plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 5.2.45. This is due to the plugin not properly neutralizing HTML elements from submitted forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views form submissions in their email.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3168950%40calculated-fields-form&new=3168950%40calculated-fields-form&sfp_email=&sfph_mail=	Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/e2c9f6a5-8698-4452-bf0a-c1d796b2fdad?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:codepeople:calculated_fields_form:*:*:*:*:*:wordpress:*:*

History

05 Jun 2025, 16:40

Type	Values Removed	Values Added
First Time		Codepeople Codepeople calculated Fields Form
References	~~() https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3168950%40calculated-fields-form&new=3168950%40calculated-fields-form&sfp_email=&sfph_mail= -~~	() https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3168950%40calculated-fields-form&new=3168950%40calculated-fields-form&sfp_email=&sfph_mail= - Patch
References	~~() https://www.wordfence.com/threat-intel/vulnerabilities/id/e2c9f6a5-8698-4452-bf0a-c1d796b2fdad?source=cve -~~	() https://www.wordfence.com/threat-intel/vulnerabilities/id/e2c9f6a5-8698-4452-bf0a-c1d796b2fdad?source=cve - Third Party Advisory
CPE		cpe:2.3:a:codepeople:calculated_fields_form::::::wordpress::*
CWE		CWE-79

18 Oct 2024, 12:53

Type	Values Removed	Values Added
Summary		(es) El complemento Calculated Fields Form para WordPress es vulnerable a la inyección de HTML en todas las versiones hasta la 5.2.45 incluida. Esto se debe a que el complemento no neutraliza correctamente los elementos HTML de los formularios enviados. Esto permite que atacantes no autenticados inyecten HTML arbitrario que se mostrará cuando el administrador vea los envíos de formularios en su correo electrónico.

17 Oct 2024, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-17 02:15

Updated : 2025-06-05 16:40

NVD link : CVE-2024-9940

Mitre link : CVE-2024-9940

CVE.ORG link : CVE-2024-9940

JSON object : View

Products Affected

codepeople

calculated_fields_form

CWE

CWE-75

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.3 /10