CVE-2024-2020

CWE-79Cross-site Scripting (XSS)CWE-307CWE-80CWE-203CWE-416Use After FreeCWE-502Deserialization of Untrusted DataCWE-78OS Command InjectionCWE-125Out-of-bounds ReadCWE-200Information ExposureCWE-400Uncontrolled Resource ConsumptionCWE-552Files Accessible to External Parties22 documents10 sources
Severity
6.1MEDIUM
EPSS
1.9%
top 16.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Codepeople Calculated Fields Form
Timeline
PublishedMar 13
Latest updateDec 27

Description

The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form page href parameter in all versions up to, and including, 5.1.56 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the professional version or higher.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.7

Affected Packages2 packages

🔴Vulnerability Details

2
CVEList
Calculated Fields Form Professional <= 5.1.56 - Unauthenticated Stored Cross-Site Scripting2024-03-13
GHSA
GHSA-8f4m-xpm2-5rxj: The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form page href parameter in all versions up to, a2024-03-13

📋Vendor Advisories

12
Red Hat
kernel: btrfs: fix use-after-free in btrfs_encoded_read_endio()2024-12-27
Red Hat
kernel: x86: fix user address masking non-canonical speculation issue2024-11-05
CISA
Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability2024-09-18
Red Hat
payara: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Payara2024-09-11
Red Hat
spring-cloud-function-context: Spring Cloud Function Web DOS Vulnerability2024-07-09