CVE-2024-9940
Calculated Fields Form <= 5.2.45 - HTML Injection
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The Calculated Fields Form plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 5.2.45. This is due to the plugin not properly neutralizing HTML elements from submitted forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views form submissions in their email.
El complemento Calculated Fields Form para WordPress es vulnerable a la inyección de HTML en todas las versiones hasta la 5.2.45 incluida. Esto se debe a que el complemento no neutraliza correctamente los elementos HTML de los formularios enviados. Esto permite que atacantes no autenticados inyecten HTML arbitrario que se mostrará cuando el administrador vea los envíos de formularios en su correo electrónico.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-10-14 CVE Reserved
- 2024-10-16 CVE Published
- 2024-10-17 CVE Updated
- 2024-10-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
CAPEC
References (2)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Codepeople Search vendor "Codepeople" | Calculated Fields Form Search vendor "Codepeople" for product "Calculated Fields Form" | <= 5.2.45 Search vendor "Codepeople" for product "Calculated Fields Form" and version " <= 5.2.45" | en |
Affected
| ||||||