CVE-2024-9940

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) (CWE-75)

Published: Oct 17, 2024 / Updated: 34d ago

010
CVSS 5.3EPSS 0.05%Medium
CVE info copied to clipboard

The Calculated Fields Form plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 5.2.45. This is due to the plugin not properly neutralizing HTML elements from submitted forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views form submissions in their email.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9940. See article

Oct 16, 2024 at 5:16 PM / VulDB Recent Entries
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 16, 2024 at 5:17 PM
CVE Assignment

NVD published the first details for CVE-2024-9940

Oct 17, 2024 at 2:15 AM
CVSS

A CVSS base score of 5.3 has been assigned.

Oct 17, 2024 at 2:15 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 17.9%)

Oct 17, 2024 at 10:04 AM
Static CVE Timeline Graph

Affected Systems

Codepeople/calculated_fields_form
+null more

Links to Mitre Att&cks

T1070: Indicator Removal on Host
+null more

Attack Patterns

CAPEC-81: Web Logs Tampering
+null more

News

WordPress Vulnerability & Patch Roundup October 2024
Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9528 Number of Installations: 500,000+ Affected Software: Contact Form Plugin by Fluent Forms <= 5.1.19 Patched Versions: Contact Form Plugin by Fluent Forms 5.1.20 Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8499 Number of Installations: 400,000+ Affected Software: Checkout Field Editor for WooCommerce <= 2.0.3 Patched Versions: Checkout Field Editor for WooCommerce 2.0.4
WordPress Vulnerability &amp; Patch Roundup October 2024
Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9528 Number of Installations: 500,000+ Affected Software: Contact Form Plugin by Fluent Forms <= 5.1.19 Patched Versions: Contact Form Plugin by Fluent Forms 5.1.20 Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8499 Number of Installations: 400,000+ Affected Software: Checkout Field Editor for WooCommerce <= 2.0.3 Patched Versions: Checkout Field Editor for WooCommerce 2.0.4
WordPress Vulnerability &amp; Patch Roundup October 2024
Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9528 Number of Installations: 500,000+ Affected Software: Contact Form Plugin by Fluent Forms <= 5.1.19 Patched Versions: Contact Form Plugin by Fluent Forms 5.1.20 Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8499 Number of Installations: 400,000+ Affected Software: Checkout Field Editor for WooCommerce <= 2.0.3 Patched Versions: Checkout Field Editor for WooCommerce 2.0.4
Medium - CVE-2024-9940 - The Calculated Fields Form plugin for WordPress...
The Calculated Fields Form plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 5.2.45. This is due to the plugin not properly neutralizing HTML elements from...
CVE-2024-9940
The Calculated Fields Form plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 5.2.45. Gravedad 3.1 (CVSS 3.1 Base Score)
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:None
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI