CVE-2024-13382 – This vulnerability in the Calculated Fields For... (How to Fix)

Q: What is the severity of CVE-2024-13382?

CVE-2024-13382 has a CVSS score of 4.8 (MEDIUM). This vulnerability in the Calculated Fields Form WordPress plugin allows administrators to inject malicious scripts into plugin settings, which then execute when other users view affected pages. It affects WordPress sites using vulnerable plugin versions, particularly in multisite configurations where unfiltered_html is restricted.

📋 TL;DR

This vulnerability in the Calculated Fields Form WordPress plugin allows administrators to inject malicious scripts into plugin settings, which then execute when other users view affected pages. It affects WordPress sites using vulnerable plugin versions, particularly in multisite configurations where unfiltered_html is restricted.

💻 Affected Systems

Products:

Calculated Fields Form WordPress plugin

Versions: All versions before 5.2.64

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin or equivalent high-privilege user; multisite setups where unfiltered_html is disallowed are specifically mentioned.

📦 What is this software?

Calculated Fields Form by Codepeople

View all CVEs affecting Calculated Fields Form →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leads to site takeover, data theft, or malware distribution to visitors.

🟠

Likely Case

Privileged user injects scripts to steal session cookies, redirect users, or deface pages.

🟢

If Mitigated

Limited to authenticated admin users only, reducing attack surface significantly.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin-level access; no public exploit code identified at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.64

Vendor Advisory: https://wpscan.com/vulnerability/925de4af-fc71-45ae-8454-7e4f70be13ca/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Calculated Fields Form'. 4. Click 'Update Now' if available, or manually update to version 5.2.64 or later.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the plugin until patched to prevent exploitation.

wp plugin deactivate calculated-fields-form

🧯 If You Can't Patch

Restrict admin access to trusted users only and monitor admin activity logs.
Implement Content Security Policy (CSP) headers to mitigate XSS impact.

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins.

Check Version:

wp plugin get calculated-fields-form --field=version

Verify Fix Applied:

Confirm plugin version is 5.2.64 or later in the plugin details.

📡 Detection & Monitoring

Log Indicators:

Unusual admin activity modifying plugin settings, especially with script-like payloads.

Network Indicators:

Unexpected script tags in HTTP responses from plugin-related pages.

SIEM Query:

source="wordpress.log" AND "Calculated Fields Form" AND "updated" OR "modified"

📊 Metadata

CVE ID: CVE-2024-13382

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (16.8th percentile)

Published: May 15, 2025

Last Updated: May 23, 2025

🔗 References

https://wpscan.com/vulnerability/925de4af-fc71-45ae-8454-7e4f70be13ca/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/925de4af-fc71-45ae-8454-7e4f70be13ca/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13382, you might also want to check these: