CVE-2024-13381: 
WordPress vulnerability analysis and mitigation

The Calculated Fields Form WordPress plugin before version 5.2.62 contains a stored Cross-Site Scripting (XSS) vulnerability that affects high-privilege users such as administrators. The vulnerability was discovered and publicly disclosed on April 9, 2025, and was assigned CVE-2024-13381. This security issue specifically impacts WordPress installations using the Calculated Fields Form plugin, particularly in multisite setups where unfiltered HTML capabilities are typically restricted (WPScan).

The vulnerability stems from inadequate sanitization and escaping of certain plugin settings. Specifically, the issue affects the Slider field settings where malicious JavaScript can be injected through the 'Max' field and field caption. The vulnerability has received varying CVSS scores, with NIST assigning a base score of 4.8 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while CISA-ADP rated it at 3.5 (LOW) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N. The vulnerability is classified under CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability enables authenticated administrators to store and execute malicious JavaScript code on the website. The stored XSS attack can potentially affect other users who access the compromised forms, even in environments where unfiltered HTML is typically restricted. This is particularly concerning in multisite WordPress installations where content restrictions are normally enforced (WPScan).

The vulnerability has been patched in version 5.2.62 of the Calculated Fields Form plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan).