CVE-2024-0963 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the Calculated Fields Form plugin for WordPress, developed by codepeople. This vulnerability affects all versions up to and including 1.2.52. The root cause is insufficient input sanitization and output escaping of the user-supplied 'location' attribute within the plugin's CP_CALCULATED_FIELDS shortcode. Authenticated attackers with contributor-level or higher permissions can exploit this flaw to inject arbitrary JavaScript code into pages generated by the plugin. Because the injected scripts are stored and executed whenever any user accesses the compromised page, this vulnerability can lead to persistent XSS attacks. The CVSS v3.1 base score is 6.4 (medium severity), with an attack vector of network (remote exploitation), low attack complexity, requiring privileges (contributor or higher), no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk in environments where the plugin is installed and users have contributor or higher roles. The vulnerability allows attackers to execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, privilege escalation, defacement, or distribution of malware. Since WordPress is widely used for websites, including many in Europe, this vulnerability could be leveraged to compromise websites and their visitors.

For European organizations using WordPress with the Calculated Fields Form plugin, this vulnerability can lead to unauthorized script execution, resulting in data theft, session hijacking, or unauthorized actions performed on behalf of legitimate users. This is particularly concerning for organizations that allow contributor-level access to multiple users, such as content management teams or external collaborators. The confidentiality and integrity of website data and user sessions can be compromised, potentially damaging organizational reputation and leading to regulatory compliance issues under GDPR if personal data is exposed. Additionally, attackers could use the vulnerability to distribute malware or phishing content to visitors, amplifying the impact. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, increasing the risk. Given the widespread use of WordPress in Europe across sectors like government, education, and commerce, the potential impact is significant if unmitigated.

1. Immediate upgrade or patching: Organizations should update the Calculated Fields Form plugin to a version where this vulnerability is fixed once available. If no patch is currently released, consider temporarily disabling the plugin or removing the CP_CALCULATED_FIELDS shortcode usage. 2. Restrict contributor-level permissions: Limit the number of users with contributor or higher roles to trusted personnel only, reducing the attack surface. 3. Implement Web Application Firewall (WAF) rules: Deploy WAF rules that detect and block malicious script injection attempts targeting the 'location' attribute or the shortcode parameters. 4. Input validation and output encoding: Developers or site administrators should ensure that any user-supplied input is properly sanitized and escaped before rendering, possibly by customizing the plugin or applying filters. 5. Monitor logs and user activity: Regularly review logs for suspicious activity related to shortcode usage or unexpected content injections. 6. Educate content contributors: Train users with editing permissions about the risks of injecting untrusted content and recognizing suspicious behavior. 7. Backup and incident response: Maintain recent backups and have an incident response plan ready to quickly remediate any exploitation attempts.