CVE-2026-3986 in Calculated Fields Form Plugin
Summary
by MITRE • 03/13/2026
The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form settings in all versions up to, and including, 5.4.5.0. This is due to insufficient capability checks on the form settings save handler and insufficient input sanitization of the `fcontent` field in `fhtml` field types. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/14/2026
The Calculated Fields Form plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2026-3986 affecting versions through 5.4.5.0. This vulnerability stems from inadequate capability verification within the form settings save handler mechanism, creating an exploitable condition that allows authenticated attackers with Contributor-level permissions or higher to execute malicious scripts. The flaw specifically manifests in the insufficient input sanitization of the fcontent field within fhtml field types, which represents a fundamental breakdown in the plugin's security architecture. The vulnerability operates through a stored XSS vector where malicious payloads are persisted within the plugin's form settings and executed whenever affected pages are accessed by users. This security weakness directly violates the principle of least privilege as defined by the Open Web Application Security Project, since the plugin fails to properly validate user capabilities before processing sensitive form data modifications.
The technical exploitation of this vulnerability occurs when an attacker with Contributor access or higher manipulates the form settings through the plugin's administrative interface. The insufficient capability checks mean that the plugin does not properly verify whether the requesting user possesses adequate permissions to modify form configurations, allowing unauthorized modifications to persist in the database. The fcontent field within fhtml field types lacks proper sanitization mechanisms, enabling attackers to inject malicious JavaScript code that gets stored and subsequently executed in the context of other users' browsers. This type of vulnerability aligns with CWE-79, which describes cross-site scripting flaws, and specifically represents a stored XSS variant that can affect multiple users who access pages containing the injected content. The attack vector operates through the WordPress plugin's form management system where legitimate form data processing is subverted to serve malicious purposes.
The operational impact of CVE-2026-3986 extends beyond simple script execution, as it can enable attackers to perform a wide range of malicious activities including session hijacking, credential theft, and data exfiltration. When users with higher privileges access pages containing the stored malicious scripts, their browsers execute the injected code in the context of their authenticated sessions, potentially allowing attackers to escalate their privileges or access sensitive data. The vulnerability affects the entire WordPress ecosystem where the plugin is installed, as any user with Contributor-level access or above can exploit this weakness. This represents a significant threat to WordPress sites since Contributors typically have the ability to create and modify posts, comments, and media files, making the attack surface particularly broad. The stored nature of the vulnerability means that once injected, malicious code persists until manually removed, creating a long-term security risk for affected installations.
Organizations should implement immediate mitigations including upgrading to the latest plugin version that addresses this vulnerability, which would typically involve patching the capability checking mechanisms and implementing proper input sanitization for the fcontent field. The recommended approach follows the ATT&CK framework's mitigation strategies for web application vulnerabilities, specifically focusing on input validation and privilege enforcement. Administrators should also consider implementing additional security controls such as role-based access restrictions, regular security audits, and monitoring for unauthorized modifications to form settings. The vulnerability highlights the importance of proper security testing and validation of user capabilities within WordPress plugins, particularly those handling form data and user-generated content. Organizations should conduct comprehensive vulnerability assessments to identify other plugins that may exhibit similar capability checking failures, as this represents a broader class of security weaknesses that can compromise WordPress installations. The remediation process should include thorough testing of the patched version to ensure that legitimate functionality remains intact while eliminating the XSS attack vector.