CVE-2024-9940 – The Calculated Fields Form WordPress plugin up ... (How to Fix)

Q: What is the severity of CVE-2024-9940?

CVE-2024-9940 has a CVSS score of 5.3 (MEDIUM). The Calculated Fields Form WordPress plugin up to version 5.2.45 is vulnerable to HTML injection via form submissions. Unauthenticated attackers can inject arbitrary HTML that renders when administrators view form submissions in email. This affects all WordPress sites using vulnerable plugin versions.

📋 TL;DR

The Calculated Fields Form WordPress plugin up to version 5.2.45 is vulnerable to HTML injection via form submissions. Unauthenticated attackers can inject arbitrary HTML that renders when administrators view form submissions in email. This affects all WordPress sites using vulnerable plugin versions.

💻 Affected Systems

Products:

Calculated Fields Form WordPress Plugin

Versions: All versions up to and including 5.2.45

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the plugin to be installed and active with forms accepting user submissions. WordPress core version does not affect vulnerability.

📦 What is this software?

Calculated Fields Form by Codepeople

View all CVEs affecting Calculated Fields Form →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could inject malicious HTML/JavaScript that executes in administrator email clients, potentially leading to credential theft, session hijacking, or further compromise of the WordPress admin panel.

🟠

Likely Case

Attackers inject phishing forms, malicious redirects, or defacement content that appears in administrator email notifications, potentially tricking admins into taking harmful actions.

🟢

If Mitigated

With proper email client security settings and admin awareness, injected HTML would be sanitized or displayed without execution, limiting impact to visual spam.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires no authentication and minimal technical skill - attackers simply submit forms containing HTML payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.46 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3168950%40calculated-fields-form&new=3168950%40calculated-fields-form&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Calculated Fields Form'. 4. Click 'Update Now' if available, or download version 5.2.46+ from WordPress repository. 5. Activate updated plugin.

🔧 Temporary Workarounds

Disable Form Email Notifications

all

Temporarily disable email notifications for form submissions to prevent HTML rendering in admin emails.

Enable Email HTML Filtering

all

Configure email clients to display emails as plain text only or enable strict HTML filtering.

🧯 If You Can't Patch

Disable the Calculated Fields Form plugin entirely until patched.
Implement web application firewall rules to block HTML patterns in form submissions.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for Calculated Fields Form version. If version is 5.2.45 or lower, system is vulnerable.

Check Version:

wp plugin list --name='calculated-fields-form' --field=version (if WP-CLI installed)

Verify Fix Applied:

Verify plugin version is 5.2.46 or higher in WordPress admin panel. Test form submissions with HTML content to confirm sanitization.

📡 Detection & Monitoring

Log Indicators:

Unusual HTML patterns in form submission logs
Increased form submissions with <script>, <iframe>, or other HTML tags

Network Indicators:

HTTP POST requests to form endpoints containing HTML payloads

SIEM Query:

source="wordpress.log" AND "calculated-fields-form" AND ("<script>" OR "<iframe>" OR "javascript:")

📊 Metadata

CVE ID: CVE-2024-9940

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-75

Published: October 17, 2024

Last Updated: June 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9940, you might also want to check these: