vulnerability

WordPress Plugin: calculated-fields-form: CVE-2023-51517: URL Redirection to Untrusted Site ('Open Redirect')

Try Surface Command
Back to search
Severity
4
CVSS
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
Published
Dec 27, 2023
Added
May 15, 2025
Modified
Apr 30, 2026

Description

The Calculated Fields Form plugin for WordPress is vulnerable to Open Redirect via the plugin's shortcode(s) in all versions up to 1.2.29 (exclusive) due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to redirect users when they visit an injected page.

Solution

calculated-fields-form-plugin-cve-2023-51517

References

Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report