CVE-2026-3986

CWE-79Cross-site Scripting (XSS)CWE-20Improper Input ValidationCWE-74CWE-918Server-Side Request Forgery (SSRF)CWE-1289CWE-22Path Traversal10 documents6 sources
Severity
6.4MEDIUM
EPSS
0.0%
top 89.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Codepeople Calculated Fields Form
Timeline
PublishedMar 13
Latest updateMar 30

Description

The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form settings in all versions up to, and including, 5.4.5.0. This is due to insufficient capability checks on the form settings save handler and insufficient input sanitization of the `fcontent` field in `fhtml` field types. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user access

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 3.1 | Impact: 2.7

Affected Packages1 packages

🔴Vulnerability Details

5
GHSA
Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3)2026-03-30
GHSA
GHSA-2x88-jf9m-g87v: The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form settings in all versions up to, and includin2026-03-13
CVEList
Calculated Fields Form <= 5.4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Form Settings2026-03-13
GHSA
Koa has Host Header Injection via ctx.hostname2026-02-26
GHSA
Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url2026-02-09

📋Vendor Advisories

1
Red Hat
Faraday: Faraday: Server-Side Request Forgery via protocol-relative URLs2026-02-09

🕵️Threat Intelligence

1
Wiz
CVE-2026-3986 Impact, Exploitability, and Mitigation Steps | Wiz