Calculated Fields Form <= 5.2.45 - HTML Injection
Description
The Calculated Fields Form plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 5.2.45. This is due to the plugin not properly neutralizing HTML elements from submitted forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views form submissions in their email.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Calculated Fields Form plugin ≤5.2.45 fails to sanitize submitted HTML, letting unauthenticated attackers inject arbitrary HTML into submissions viewed by admins via email.
Vulnerability
The Calculated Fields Form plugin for WordPress, in all versions up to and including 5.2.45, fails to properly neutralize HTML elements from submitted form fields. This HTML Injection vulnerability allows unauthenticated attackers to inject arbitrary HTML into form submissions, which is then rendered when an administrator views the submissions, typically via email notifications. The affected plugin is identified as calculated-fields-form and is hosted on the WordPress plugin repository [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability by submitting a crafted form entry containing malicious HTML or JavaScript within any text input field. No authentication or special network position is required; the only condition is that the administrator must view the submitted data (e.g., through the WordPress admin interface or an email notification). The attacker simply fills out the publicly accessible form with HTML tags, and the plugin stores and forwards the payload without escaping [1].
Impact
On successful exploitation, an attacker can inject arbitrary HTML content that will be rendered in the context of the administrator's session. This can lead to phishing attacks, session hijacking, or defacement within the administrative interface. While the description specifies "HTML Injection" (not stored XSS with script execution), the injection of arbitrary HTML is sufficient to mislead an admin or perform clickjacking-style attacks. The scope of compromise is limited to the admin's browser, but could be used to steal credentials or perform actions on behalf of the admin [1].
Mitigation
A patched version 5.4.7.7 is available as of the plugin's last update on 2026-05-21, according to the WordPress plugin directory [1]. Users are strongly advised to update to the latest version immediately. If updating is not possible, administrators should avoid viewing form submissions in raw HTML email and consider using a plain-text email viewer until the plugin is updated. No workaround is provided by the vendor for versions below 5.4.7.7 [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3<=5.2.45+ 1 more
- (no CPE)range: <=5.2.45
- (no CPE)range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.