CVE-2023-6446 in Calculated Fields Form Plugin
Summary
by MITRE • 01/11/2024
The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/11/2026
The Calculated Fields Form plugin for WordPress represents a critical security vulnerability classified as CVE-2023-6446, which manifests as a stored cross-site scripting flaw affecting versions up to and including 1.2.40. This vulnerability exists within the plugin's administrative settings interface and specifically targets installations that operate under multi-site configurations or those where the unfiltered_html capability has been restricted. The flaw stems from inadequate input sanitization mechanisms and insufficient output escaping procedures that fail to properly validate and sanitize user-supplied data before it is processed and stored within the WordPress database. The vulnerability operates under CWE-79 which categorizes it as a cross-site scripting attack vector, specifically targeting the storage phase of malicious script execution rather than the more common reflected XSS patterns.
Attackers exploiting this vulnerability must possess administrator-level permissions or higher within the WordPress environment, making this a privilege escalation concern that leverages existing administrative access to compromise the broader system. The security implications are particularly severe in multi-site installations where the compromised administrator could potentially affect multiple sites within the network, creating a propagation vector that extends beyond individual site boundaries. The vulnerability becomes operational when authenticated attackers inject malicious scripts through the plugin's administrative settings, which are then stored persistently in the database and executed whenever any user accesses pages containing the injected content. This stored nature of the vulnerability means that the malicious payload remains active until manually removed, creating a persistent threat vector that can affect numerous users over extended periods.
The operational impact of this vulnerability extends beyond simple script execution to encompass potential data exfiltration, session hijacking, and further privilege escalation attacks. The attacker could potentially steal administrator credentials, manipulate site content, or redirect users to malicious domains, all while maintaining persistent access through the stored script payload. The restriction on unfiltered_html in affected installations creates a false sense of security, as administrators may believe their sites are protected from such attacks when the vulnerability remains present in the plugin's handling of user input. This vulnerability directly maps to several ATT&CK techniques including T1059 for command and scripting interpreter and T1566 for credential harvesting, as the stored scripts could be used to capture user sessions or extract sensitive information from the compromised environment.
Mitigation strategies for CVE-2023-6446 should prioritize immediate plugin updates to versions that address the input sanitization and output escaping deficiencies. Organizations should implement comprehensive monitoring of administrative activities and user sessions to detect potential exploitation attempts, while also considering the deployment of web application firewalls that can identify and block malicious script injection attempts. The principle of least privilege should be enforced by limiting administrative access to only essential personnel and regularly auditing user permissions within the WordPress installation. Additionally, implementing Content Security Policy headers can provide an additional layer of protection against script execution, though this measure should complement rather than replace the core patching and input validation fixes. Regular security assessments and vulnerability scanning of WordPress installations should include verification of plugin versions and their compliance with security best practices to prevent similar vulnerabilities from remaining undetected in production environments.