CVE-2025-49291 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the codepeople Calculated Fields Form plugin, affecting versions up to 5.3.58. CSRF vulnerabilities allow an attacker to trick an authenticated user into submitting unwanted actions on a web application in which they are currently authenticated. In this case, the vulnerability exists because the plugin does not implement adequate anti-CSRF tokens or other mechanisms to verify the legitimacy of requests that modify form data or settings. Exploiting this flaw requires the victim to be authenticated and to interact with a maliciously crafted webpage or link, which then sends unauthorized requests to the vulnerable plugin. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires no privileges, but does require user interaction, and the impact is limited to integrity (unauthorized changes) without affecting confidentiality or availability. No known exploits are currently reported in the wild, and no patches or fixes have been linked yet. The vulnerability is categorized under CWE-352, which is a common web application security weakness related to insufficient request validation against CSRF attacks.

For European organizations using the codepeople Calculated Fields Form plugin, this vulnerability could allow attackers to perform unauthorized actions on web forms, potentially altering form calculations, configurations, or data submissions without the user's consent. While the confidentiality and availability of systems are not directly impacted, the integrity of form data and business processes relying on these forms could be compromised. This could lead to incorrect data processing, business logic errors, or manipulation of user inputs that may affect decision-making or automated workflows. Organizations in sectors such as e-commerce, finance, healthcare, or government that rely on these forms for critical data collection or processing could face operational disruptions or reputational damage. The requirement for user interaction and authentication limits the scope somewhat, but targeted phishing or social engineering campaigns could increase exploitation risk.

European organizations should immediately assess their use of the codepeople Calculated Fields Form plugin and verify the version in use. Until an official patch is released, mitigation strategies include implementing web application firewalls (WAFs) with rules to detect and block CSRF attack patterns targeting the plugin endpoints. Administrators should enforce strict same-site cookie policies (SameSite=Lax or Strict) to reduce CSRF risks. Additionally, reviewing and hardening authentication and session management practices can limit the impact of CSRF attacks. User education to recognize phishing attempts and suspicious links is critical to prevent user interaction-based exploitation. Monitoring web server logs for unusual POST requests or form submissions can help detect attempted exploitation. Once a patch becomes available, prompt application of updates is essential. Developers using the plugin should consider adding custom CSRF tokens or nonce verification mechanisms if feasible as an interim protective measure.