Calculated Fields Form < 5.2.64 - Admin+ Stored XSS
Description
The Calculated Fields Form WordPress plugin before 5.2.64 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Calculated Fields Form plugin before 5.2.64 allows admins to inject scripts even when unfiltered_html is disallowed.
Vulnerability
The Calculated Fields Form WordPress plugin before version 5.2.64 does not sanitize and escape some of its settings. This allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed, such as in multisite setups [1].
Exploitation
An attacker must have administrative access to the WordPress site. They can inject malicious JavaScript code into plugin settings, which is then stored and executed whenever the settings page is viewed or the injected content is rendered. The attack does not require the unfiltered_html capability, bypassing typical restrictions in multisite environments [1].
Impact
Successful exploitation leads to stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of the admin dashboard. This can result in session hijacking, defacement, or further compromise of the site [1].
Mitigation
Update to version 5.2.64 or later, which fixes the vulnerability by properly sanitizing and escaping the settings. No other workarounds are mentioned in the advisory [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/925de4af-fc71-45ae-8454-7e4f70be13ca/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.