Calculated Fields Form, Cross-Site Request Forgery (CSRF), CVE-2025-49291 (Medium)

By /

Listen to this Post

How the CVE Works:

CVE-2025-49291 is a CSRF vulnerability in the Calculated Fields Form plugin (versions up to 5.3.58). Attackers can craft malicious requests that, when executed by an authenticated admin, manipulate form submissions or settings without consent. The plugin fails to validate nonces or implement anti-CSRF tokens, allowing unauthorized state changes via forged HTTP requests.

DailyCVE Form:

Platform: WordPress
Version: ≀5.3.58
Vulnerability: CSRF
Severity: Medium
Date: 2025-06-06

Prediction: Patch by 2025-08-15

What Undercode Say:

Analytics:

curl -X POST http://target/wp-admin/admin-ajax.php -d "action=cp_calculatedfieldsf_update&form_id=1"

import requests
csrf_payload = {"field":"malicious_value"}
requests.post("http://target/wp-admin/options.php", data=csrf_payload)

How Exploit:

  • Craft a fake form/page triggering admin actions.
  • Trick admins into submitting requests via phishing.
  • Modify plugin settings/form data via forged POST.

Protection from this CVE:

  • Update to patched version post-5.3.58.
  • Implement CSRF tokens in admin actions.
  • Use WordPress nonce verification.

Impact:

  • Unauthorized form/data manipulation.
  • Plugin settings hijacking.
  • Low malware injection risk.

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

πŸ”JOIN OUR CYBER WORLD [ CVE News β€’ HackMonitor β€’ UndercodeNews ]

πŸ’¬ Whatsapp | πŸ’¬ Telegram

πŸ“’ Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | πŸ”— Linkedin Featured Image

Scroll to Top