CVE-2025-49291: CWE-352 Cross-Site Request Forgery (CSRF) in codepeople Calculated Fields Form
Cross-Site Request Forgery (CSRF) vulnerability in codepeople Calculated Fields Form allows Cross Site Request Forgery. This issue affects Calculated Fields Form: from n/a through 5.3.58.
AI Analysis
Technical Summary
CVE-2025-49291 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the codepeople Calculated Fields Form plugin, affecting versions up to 5.3.58. CSRF vulnerabilities allow an attacker to trick an authenticated user into submitting unwanted actions on a web application in which they are currently authenticated. In this case, the vulnerability exists because the plugin does not implement adequate anti-CSRF tokens or other mechanisms to verify the legitimacy of requests that modify form data or settings. Exploiting this flaw requires the victim to be authenticated and to interact with a maliciously crafted webpage or link, which then sends unauthorized requests to the vulnerable plugin. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires no privileges, but does require user interaction, and the impact is limited to integrity (unauthorized changes) without affecting confidentiality or availability. No known exploits are currently reported in the wild, and no patches or fixes have been linked yet. The vulnerability is categorized under CWE-352, which is a common web application security weakness related to insufficient request validation against CSRF attacks.
Potential Impact
For European organizations using the codepeople Calculated Fields Form plugin, this vulnerability could allow attackers to perform unauthorized actions on web forms, potentially altering form calculations, configurations, or data submissions without the user's consent. While the confidentiality and availability of systems are not directly impacted, the integrity of form data and business processes relying on these forms could be compromised. This could lead to incorrect data processing, business logic errors, or manipulation of user inputs that may affect decision-making or automated workflows. Organizations in sectors such as e-commerce, finance, healthcare, or government that rely on these forms for critical data collection or processing could face operational disruptions or reputational damage. The requirement for user interaction and authentication limits the scope somewhat, but targeted phishing or social engineering campaigns could increase exploitation risk.
Mitigation Recommendations
European organizations should immediately assess their use of the codepeople Calculated Fields Form plugin and verify the version in use. Until an official patch is released, mitigation strategies include implementing web application firewalls (WAFs) with rules to detect and block CSRF attack patterns targeting the plugin endpoints. Administrators should enforce strict same-site cookie policies (SameSite=Lax or Strict) to reduce CSRF risks. Additionally, reviewing and hardening authentication and session management practices can limit the impact of CSRF attacks. User education to recognize phishing attempts and suspicious links is critical to prevent user interaction-based exploitation. Monitoring web server logs for unusual POST requests or form submissions can help detect attempted exploitation. Once a patch becomes available, prompt application of updates is essential. Developers using the plugin should consider adding custom CSRF tokens or nonce verification mechanisms if feasible as an interim protective measure.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden
CVE-2025-49291: CWE-352 Cross-Site Request Forgery (CSRF) in codepeople Calculated Fields Form
Description
Cross-Site Request Forgery (CSRF) vulnerability in codepeople Calculated Fields Form allows Cross Site Request Forgery. This issue affects Calculated Fields Form: from n/a through 5.3.58.
AI-Powered Analysis
Technical Analysis
CVE-2025-49291 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the codepeople Calculated Fields Form plugin, affecting versions up to 5.3.58. CSRF vulnerabilities allow an attacker to trick an authenticated user into submitting unwanted actions on a web application in which they are currently authenticated. In this case, the vulnerability exists because the plugin does not implement adequate anti-CSRF tokens or other mechanisms to verify the legitimacy of requests that modify form data or settings. Exploiting this flaw requires the victim to be authenticated and to interact with a maliciously crafted webpage or link, which then sends unauthorized requests to the vulnerable plugin. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires no privileges, but does require user interaction, and the impact is limited to integrity (unauthorized changes) without affecting confidentiality or availability. No known exploits are currently reported in the wild, and no patches or fixes have been linked yet. The vulnerability is categorized under CWE-352, which is a common web application security weakness related to insufficient request validation against CSRF attacks.
Potential Impact
For European organizations using the codepeople Calculated Fields Form plugin, this vulnerability could allow attackers to perform unauthorized actions on web forms, potentially altering form calculations, configurations, or data submissions without the user's consent. While the confidentiality and availability of systems are not directly impacted, the integrity of form data and business processes relying on these forms could be compromised. This could lead to incorrect data processing, business logic errors, or manipulation of user inputs that may affect decision-making or automated workflows. Organizations in sectors such as e-commerce, finance, healthcare, or government that rely on these forms for critical data collection or processing could face operational disruptions or reputational damage. The requirement for user interaction and authentication limits the scope somewhat, but targeted phishing or social engineering campaigns could increase exploitation risk.
Mitigation Recommendations
European organizations should immediately assess their use of the codepeople Calculated Fields Form plugin and verify the version in use. Until an official patch is released, mitigation strategies include implementing web application firewalls (WAFs) with rules to detect and block CSRF attack patterns targeting the plugin endpoints. Administrators should enforce strict same-site cookie policies (SameSite=Lax or Strict) to reduce CSRF risks. Additionally, reviewing and hardening authentication and session management practices can limit the impact of CSRF attacks. User education to recognize phishing attempts and suspicious links is critical to prevent user interaction-based exploitation. Monitoring web server logs for unusual POST requests or form submissions can help detect attempted exploitation. Once a patch becomes available, prompt application of updates is essential. Developers using the plugin should consider adding custom CSRF tokens or nonce verification mechanisms if feasible as an interim protective measure.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-06-04T09:41:43.868Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6842ede071f4d251b5c88119
Added to database: 6/6/2025, 1:32:16 PM
Last enriched: 7/7/2025, 9:12:53 PM
Last updated: 8/4/2025, 10:34:36 AM
Views: 15
Related Threats
CVE-2025-54205: Out-of-bounds Read (CWE-125) in Adobe Substance3D - Sampler
MediumCVE-2025-54195: Out-of-bounds Read (CWE-125) in Adobe Substance3D - Painter
MediumCVE-2025-54194: Out-of-bounds Read (CWE-125) in Adobe Substance3D - Painter
MediumCVE-2025-54193: Out-of-bounds Read (CWE-125) in Adobe Substance3D - Painter
MediumCVE-2025-54192: Out-of-bounds Read (CWE-125) in Adobe Substance3D - Painter
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.