CVE-2024-13381 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Calculated Fields Form WordPress plugin versions prior to 5.2.62. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings inputs. This flaw allows users with high privileges, such as administrators, to inject malicious scripts that are persistently stored and executed when other users or administrators access affected pages. Notably, this vulnerability can be exploited even when the WordPress 'unfiltered_html' capability is disabled, such as in multisite environments, which typically restricts the ability to post unfiltered HTML. The attack vector requires authenticated, high-privilege users and some user interaction (e.g., viewing the affected page). The CVSS 3.1 base score is 3.5 (low severity), reflecting limited confidentiality and integrity impact, no availability impact, and the requirement for high privileges and user interaction. No known exploits are currently reported in the wild. The vulnerability is categorized under CWE-79, indicating improper neutralization of input during web page generation. The plugin is widely used for creating forms with calculated fields on WordPress sites, which are common across many sectors including business, education, and government. The lack of a patch link suggests that a fix may be pending or not yet publicly available as of the published date (May 1, 2025).

For European organizations, the impact of this vulnerability is primarily related to the potential for privilege escalation and persistent script injection by trusted administrators. Although the vulnerability requires high privileges to exploit, it could allow an attacker with admin access to inject malicious JavaScript that executes in the context of other administrators or users with elevated permissions. This could lead to session hijacking, theft of sensitive information, or manipulation of site content and settings. In multisite WordPress deployments common in large organizations or educational institutions, the risk is heightened because the usual restrictions on unfiltered HTML do not prevent exploitation. While the direct impact on availability is negligible, the integrity and confidentiality of administrative operations could be compromised. Given the low CVSS score, the threat is not critical but should not be ignored, especially in environments where multiple administrators manage sensitive data or where the plugin is heavily used. The absence of known exploits reduces immediate risk, but the vulnerability could be leveraged in targeted attacks or combined with other vulnerabilities for greater effect.

Upgrade the Calculated Fields Form plugin to version 5.2.62 or later as soon as a patch is available to ensure proper sanitization and escaping of inputs. Restrict administrative privileges strictly to trusted personnel and regularly audit admin accounts to detect unauthorized access. Implement Content Security Policy (CSP) headers to limit the impact of potential XSS by restricting the execution of inline scripts and loading of external resources. In multisite WordPress environments, review and tighten user capability assignments to minimize the number of users with high privileges. Regularly monitor and scan WordPress sites for unusual script injections or modifications to plugin settings that could indicate exploitation attempts. Consider using Web Application Firewalls (WAF) with rules tailored to detect and block stored XSS payloads targeting WordPress plugins. Educate administrators on the risks of stored XSS and safe practices when configuring plugin settings or inputting data.