The vulnerability identified as CVE-2024-0963 affects the Calculated Fields Form plugin for WordPress, specifically versions up to and including 1.2.52. This plugin allows users to create forms with calculated fields using shortcodes, including CP_CALCULATED_FIELDS. The vulnerability is a stored cross-site scripting (XSS) flaw classified under CWE-79, caused by improper neutralization of input during web page generation. The root cause is insufficient sanitization and output escaping of the 'location' attribute supplied by users within the shortcode. Authenticated attackers with contributor-level or higher permissions can exploit this by injecting arbitrary JavaScript code into pages or posts that use the vulnerable shortcode. When other users visit these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, requiring privileges but no user interaction, with a scope change and low impact on confidentiality and integrity, and no impact on availability. No patches or official fixes are currently linked, and no known exploits in the wild have been reported, but the vulnerability is publicly disclosed and enriched by CISA. This vulnerability is particularly concerning because contributor-level users are common in WordPress environments, and stored XSS can have persistent and widespread effects.

The primary impact of CVE-2024-0963 is the potential for attackers with contributor-level access to inject malicious scripts that execute in the browsers of site visitors and administrators. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized access escalation. It can also facilitate defacement, phishing, or distribution of malware through the compromised site. The vulnerability affects the confidentiality and integrity of user data and site content but does not directly affect availability. Organizations relying on the Calculated Fields Form plugin risk compromise of user accounts and sensitive data, especially in environments with multiple contributors or editors. The scope of affected systems is broad given WordPress's global popularity and the plugin's usage, potentially impacting websites ranging from small blogs to enterprise portals. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but this is a common threat vector in CMS environments. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as proof-of-concept code may emerge.

To mitigate CVE-2024-0963, organizations should first check for plugin updates from codepeople that address this vulnerability and apply them promptly once available. In the absence of an official patch, administrators should restrict contributor-level permissions to trusted users only and audit existing content for injected scripts. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script payloads in shortcode attributes can reduce risk. Additionally, site owners can sanitize user inputs at the application level by customizing the shortcode handler to enforce strict validation and escaping of the 'location' attribute. Monitoring logs for unusual contributor activity and scanning site content for injected scripts are also recommended. Educating contributors about safe content practices and limiting plugin usage to essential sites can further reduce exposure. Finally, consider disabling or replacing the Calculated Fields Form plugin with alternatives that follow secure coding practices until a fix is confirmed.