Calculated Fields Form < 1.0.354 - Authenticated Stored XSS



Description
"An authenticated user with access to edit or create Calculated Fields Form content can inject javascript into input fields such as ‘field name’ and ‘form name’."

Affects Plugin

fixed in version 1.0.354

References

CVE 2020-7228
URL https://spider-security.co.uk/blog-cve-2020-7228
URL https://plugins.trac.wordpress.org/changeset/2230479

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Ben Armstrong (Spider Sec Ltd)
Views 4614
Verified No
WPVDB ID 10043

Timeline

Publicly Published 2020-01-22 (5 months ago)
Added 2020-01-22 (5 months ago)
Last Updated 2020-01-23 (5 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin