Calculated Fields Form < 5.2.62 - Admin+ Stored XSS
Description
The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Calculated Fields Form plugin before 5.2.62 allows admins to inject scripts even when unfiltered_html is disallowed.
Vulnerability
The Calculated Fields Form WordPress plugin versions before 5.2.62 fail to sanitize and escape some of its settings. This allows high privilege users (e.g., admin) to inject arbitrary web scripts via the plugin's settings page, even when the unfiltered_html capability is disallowed, such as in multisite configurations [1].
Exploitation
An attacker with administrator access can craft malicious input in the vulnerable settings fields. Upon saving, the payload is stored and executed when the settings page is viewed, leading to Stored Cross-Site Scripting (XSS). No additional user interaction is required beyond the admin saving the settings [1].
Impact
Successful exploitation permits the attacker to execute arbitrary JavaScript in the context of the admin dashboard. This can lead to session hijacking, defacement, or further compromise of the WordPress site, potentially affecting all users [1].
Mitigation
Update to version 5.2.62 or later, which fixes the issue. No workarounds are available. The vulnerability is publicly disclosed and should be patched promptly [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/90333618-2be7-49cf-822a-819699f07977/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.