CVE-2023-0389: Calculated Fields Form < 1.1.151 - Admin+ Stored Cross-Site Scripting via Dropdown Fields
First published: Tue Jan 16 2024(Updated: )
The Calculated Fields Form WordPress plugin before 1.1.151 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| CodePeople Calculated Fields Form | <1.1.151 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2023-0389?
CVE-2023-0389 has a severity rating that indicates it could result in Stored Cross-Site Scripting attacks for high privilege users.
How do I fix CVE-2023-0389?
To fix CVE-2023-0389, update the Calculated Fields Form WordPress plugin to version 1.1.151 or later.
Who is affected by CVE-2023-0389?
CVE-2023-0389 affects users of the Calculated Fields Form WordPress plugin versions before 1.1.151.
What kind of attacks can CVE-2023-0389 enable?
CVE-2023-0389 can enable Stored Cross-Site Scripting (XSS) attacks on vulnerable installations.
Is unfiltered_html capability relevant to CVE-2023-0389?
Yes, CVE-2023-0389 allows high privilege users to perform attacks even when the unfiltered_html capability is restricted.
- agent/weakness
- agent/author
- agent/references
- agent/title
- agent/type
- agent/first-publish-date
- agent/description
- agent/severity
- agent/softwarecombine
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/codepeople
- canonical/codepeople calculated fields form