CVE-2026-3986 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Calculated Fields Form WordPress plugin developed by codepeople. This vulnerability exists in all versions up to and including 5.4.5.0. The root cause is twofold: insufficient capability checks on the form settings save handler and inadequate sanitization of user input in the 'fcontent' field of 'fhtml' field types. Specifically, authenticated users with Contributor-level permissions or higher can inject arbitrary JavaScript code into form settings. Because these scripts are stored persistently, they execute whenever any user accesses the affected page, potentially including administrators or other privileged users. The vulnerability allows attackers to bypass typical input validation and capability restrictions, enabling the injection of malicious scripts that can steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. The CVSS 3.1 base score is 6.4, reflecting a medium severity with a network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed (S:C) because the vulnerability can affect other components or users beyond the initial attacker. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability highlights the risks of improper input validation and insufficient permission checks in WordPress plugins, especially those that allow user-generated content to be stored and rendered in web pages.

The primary impact of CVE-2026-3986 is the potential for attackers with Contributor-level access to inject persistent malicious scripts into WordPress sites using the Calculated Fields Form plugin. This can lead to unauthorized actions such as session hijacking, privilege escalation, defacement, or redirection to malicious websites. Since the scripts execute in the context of any user visiting the infected page, including administrators, the confidentiality and integrity of user data and site content are at risk. Although availability is not directly impacted, the exploitation could facilitate further attacks that degrade service or compromise site integrity. Organizations relying on this plugin face risks of reputational damage, data breaches, and unauthorized access. The medium CVSS score reflects the need for attention but also that exploitation requires authenticated access, limiting exposure to external unauthenticated attackers. However, given the widespread use of WordPress and the plugin, the potential attack surface is significant, especially for sites allowing Contributor-level users or higher.

To mitigate CVE-2026-3986, organizations should immediately restrict Contributor-level user permissions if possible, limiting the ability to save or modify form settings. Administrators should audit existing form configurations for suspicious or unexpected script content in 'fcontent' fields. Until an official patch is released, consider disabling or removing the Calculated Fields Form plugin if it is not essential. Implement Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting the plugin's form settings endpoints. Employ Content Security Policy (CSP) headers to restrict script execution sources, reducing the impact of injected scripts. Regularly monitor logs for unusual activity related to form settings changes. When a patch becomes available, apply it promptly. Additionally, educate users with Contributor-level access about the risks of injecting scripts and enforce strict input validation policies in custom plugin configurations or extensions.