CVE-2024-12273: 
WordPress vulnerability analysis and mitigation

The Calculated Fields Form WordPress plugin before version 5.2.62 contains a stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-12273. The vulnerability was discovered by Dmitrii Ignatyev and was assigned on December 5, 2024. This security issue specifically affects high-privilege users such as administrators, particularly in multisite setup environments (WPScan).

The vulnerability stems from improper sanitization and escaping of certain settings within the plugin. This security flaw allows high-privilege users to perform Stored Cross-Site Scripting attacks, even in scenarios where the unfiltered_html capability is explicitly disallowed, such as in multisite setups. The vulnerability has been assigned a CVSS score of 3.5 (low severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N (WPScan).

When exploited, this vulnerability could allow privileged users to inject and store malicious scripts in the plugin settings. These scripts could then be executed when other users access the affected pages, potentially leading to unauthorized actions being performed in the context of the victim's session (WPScan).

Users are advised to update their Calculated Fields Form WordPress plugin to version 5.2.62 or later, which contains the fix for this vulnerability (MITRE).