vulnerability
WordPress Plugin: calculated-fields-form: CVE-2024-9940: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:N/I:P/A:N) | Oct 16, 2024 | May 15, 2025 | May 4, 2026 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Published
Oct 16, 2024
Added
May 15, 2025
Modified
May 4, 2026
Description
The Calculated Fields Form plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 5.2.45. This is due to the plugin not properly neutralizing HTML elements from submitted forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views form submissions in their email.
Solution
calculated-fields-form-plugin-cve-2024-9940
References
- https://www.cve.org/CVERecord?id=CVE-2024-9940
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e2c9f6a5-8698-4452-bf0a-c1d796b2fdad?source=api-prod
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2024-50227
- CVE-2024-9940
- https://attackerkb.com/topics/CVE-2024-9940
- CWE-75
- CWE-79
- EUVD-EUVD-2024-50227
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.