CVE-2025-49291 – A Cross-Site Request Forgery (CSRF) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-49291?

CVE-2025-49291 has a CVSS score of 4.3 (MEDIUM). A Cross-Site Request Forgery (CSRF) vulnerability in the Calculated Fields Form WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions. This affects WordPress sites using the plugin from any version up to 5.3.58. Attackers could modify form settings or potentially perform other administrative actions.

📋 TL;DR

A Cross-Site Request Forgery (CSRF) vulnerability in the Calculated Fields Form WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions. This affects WordPress sites using the plugin from any version up to 5.3.58. Attackers could modify form settings or potentially perform other administrative actions.

💻 Affected Systems

Products:

Calculated Fields Form WordPress Plugin

Versions: n/a through 5.3.58

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the Calculated Fields Form plugin installed and activated. Requires an authenticated administrator to be tricked into visiting a malicious page.

📦 What is this software?

Calculated Fields Form by Codepeople

View all CVEs affecting Calculated Fields Form →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could trick an administrator into changing form configurations, redirecting form submissions to malicious sites, or performing other administrative actions that compromise form functionality or data integrity.

🟠

Likely Case

Attackers modify form settings to redirect submissions, change calculation formulas, or alter form behavior in ways that could lead to data manipulation or phishing.

🟢

If Mitigated

With proper CSRF protections and user awareness, the risk is limited to unsuccessful exploitation attempts with no impact on form functionality.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to trick an authenticated administrator into clicking a malicious link or visiting a compromised page.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.3.59 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/calculated-fields-form/vulnerability/wordpress-calculated-fields-form-5-3-58-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Calculated Fields Form'. 4. Click 'Update Now' if available, or download version 5.3.59+ from WordPress.org. 5. Activate the updated plugin.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the plugin until patched to prevent exploitation.

wp plugin deactivate calculated-fields-form

Admin Session Management

all

Implement strict session timeouts and require re-authentication for sensitive actions.

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict form actions.
Use browser extensions that block CSRF attempts and educate administrators about phishing risks.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for Calculated Fields Form version. If version is 5.3.58 or lower, the system is vulnerable.

Check Version:

wp plugin get calculated-fields-form --field=version

Verify Fix Applied:

Verify the plugin version is 5.3.59 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unexpected form configuration changes in WordPress logs
Multiple failed admin actions from same session

Network Indicators:

Unusual POST requests to wp-admin/admin-ajax.php with calculated-fields-form parameters

SIEM Query:

source="wordpress.log" AND "calculated-fields-form" AND ("action=update" OR "action=save")

📊 Metadata

CVE ID: CVE-2025-49291

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-352

EPSS Score: 0.02% exploit probability (3.5th percentile)

Published: June 6, 2025

Last Updated: July 2, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/calculated-fields-form/vulnerability/wordpress-calculated-fields-form-5-3-58-cross-site-request-forgery-csrf-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-49291, you might also want to check these: