{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-9940", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-10-14T16:00:44.204Z", "datePublished": "2024-10-17T02:06:05.303Z", "dateUpdated": "2024-10-17T16:10:28.112Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-10-17T02:06:05.303Z"}, "affected": [{"vendor": "codepeople", "product": "Calculated Fields Form", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "5.2.45", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Calculated Fields Form plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 5.2.45. This is due to the plugin not properly neutralizing HTML elements from submitted forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views form submissions in their email."}], "title": "Calculated Fields Form <= 5.2.45 - HTML Injection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e2c9f6a5-8698-4452-bf0a-c1d796b2fdad?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3168950%40calculated-fields-form&new=3168950%40calculated-fields-form&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)", "cweId": "CWE-75", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Max Boll"}], "timeline": [{"time": "2024-10-16T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"affected": [{"vendor": "codepeople", "product": "calculated_fields_form", "cpes": ["cpe:2.3:a:codepeople:calculated_fields_form:*:*:*:*:*:wordpress:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.2.45", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-17T16:07:24.371119Z", "id": "CVE-2024-9940", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-17T16:10:28.112Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-9940", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-17T16:07:24.371119Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:codepeople:calculated_fields_form:*:*:*:*:*:wordpress:*:*"], "vendor": "codepeople", "product": "calculated_fields_form", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.2.45"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-17T16:10:19.828Z"}}], "cna": {"title": "Calculated Fields Form <= 5.2.45 - HTML Injection", "credits": [{"lang": "en", "type": "finder", "value": "Max Boll"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "codepeople", "product": "Calculated Fields Form", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.2.45"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-10-16T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e2c9f6a5-8698-4452-bf0a-c1d796b2fdad?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3168950%40calculated-fields-form&new=3168950%40calculated-fields-form&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Calculated Fields Form plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 5.2.45. This is due to the plugin not properly neutralizing HTML elements from submitted forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views form submissions in their email."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-75", "description": "CWE-75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-10-17T02:06:05.303Z"}}}, "cveMetadata": {"cveId": "CVE-2024-9940", "state": "PUBLISHED", "dateUpdated": "2024-10-17T16:10:28.112Z", "dateReserved": "2024-10-14T16:00:44.204Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-10-17T02:06:05.303Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Calculated Fields Form plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 5.2.45. This is due to the plugin not properly neutralizing HTML elements from submitted forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views form submissions in their email."}, {"lang": "es", "value": "El complemento Calculated Fields Form para WordPress es vulnerable a la inyecci\u00f3n de HTML en todas las versiones hasta la 5.2.45 incluida. Esto se debe a que el complemento no neutraliza correctamente los elementos HTML de los formularios enviados. Esto permite que atacantes no autenticados inyecten HTML arbitrario que se mostrar\u00e1 cuando el administrador vea los env\u00edos de formularios en su correo electr\u00f3nico."}], "id": "CVE-2024-9940", "lastModified": "2024-10-18T12:53:04.627", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2024-10-17T02:15:04.277", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3168950%40calculated-fields-form&new=3168950%40calculated-fields-form&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e2c9f6a5-8698-4452-bf0a-c1d796b2fdad?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-75"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}