CVE-2024-0963: 
WordPress vulnerability analysis and mitigation

The Calculated Fields Form plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2024-0963) in versions up to and including 1.2.52. The vulnerability was discovered by Richard Telleng and publicly disclosed on February 1, 2024 (Wordfence, WPScan).

The vulnerability exists in the plugin's CP_CALCULATED_FIELDS shortcode due to insufficient input sanitization and output escaping on the user-supplied 'location' attribute. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence rated it at 6.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

This vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

The vulnerability has been patched in version 1.2.53 of the Calculated Fields Form plugin. Users are advised to update to this version or later to protect against this security issue (WPScan).