CVE-2023-0389: 
WordPress vulnerability analysis and mitigation

The Calculated Fields Form WordPress plugin before version 1.1.151 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability exists due to insufficient sanitization and escaping of form settings, which affects high-privilege users such as administrators, even when the unfiltered_html capability is disallowed in configurations like multisite setups. The vulnerability was discovered and publicly disclosed on January 17, 2023 (WPScan Details).

The vulnerability stems from improper sanitization and escaping of form settings in the plugin's dropdown fields functionality. The issue specifically manifests when handling form settings, allowing for stored XSS attacks. The vulnerability has been assigned a CVSS score of 3.5 (low severity) and is classified under CWE-79. Multiple partial fixes were implemented in versions 1.1.148, 1.1.150, before the final fix in version 1.1.151 (WPScan Details).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. This is particularly significant in multisite setups where the unfiltered_html capability is typically disallowed for security reasons (CVE Details).

The vulnerability has been fully patched in version 1.1.151 of the Calculated Fields Form plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan Details).