CVE-2024-2020: XSS
First published: Wed Mar 13 2024(Updated: )
The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form page href parameter in all versions up to, and including, 5.1.56 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the professional version or higher.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| CodePeople Calculated Fields Form | <=5.1.56 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-2020?
CVE-2024-2020 is considered a high severity vulnerability due to its potential for stored cross-site scripting attacks.
How do I fix CVE-2024-2020?
To fix CVE-2024-2020, update the Calculated Fields Form plugin to the latest version beyond 5.1.56.
Who is affected by CVE-2024-2020?
All users of the Calculated Fields Form plugin for WordPress up to and including version 5.1.56 are affected by CVE-2024-2020.
What type of vulnerability is CVE-2024-2020?
CVE-2024-2020 is a stored cross-site scripting (XSS) vulnerability due to insufficient input sanitization.
Can authenticated users exploit CVE-2024-2020?
No, CVE-2024-2020 can only be exploited by unauthenticated attackers.
- collector/nvd-api
- source/NVD
- agent/author
- agent/references
- agent/type
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/wordpress
- canonical/codepeople calculated fields form