Calculated Fields Form < 1.0.354 - Authenticated Stored XSS



Description
"An authenticated user with access to edit or create Calculated Fields Form content can inject javascript into input fields such as ‘field name’ and ‘form name’."

Affects Plugin

fixed in version 1.0.354

References

CVE 2020-7228
URL https://spider-security.co.uk/blog-cve-2020-7228
URL https://plugins.trac.wordpress.org/changeset/2230479

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Ben Armstrong (Spider Sec Ltd)
Views 3794
Verified No
WPVDB ID 10043

Timeline

Publicly Published 2020-01-22 (about 1 month ago)
Added 2020-01-22 (29 days ago)
Last Updated 2020-01-23 (29 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin