Attack Vectors

CVE-2026-3986 is a medium-severity (CVSS 6.4) Stored Cross-Site Scripting (XSS) issue affecting the Calculated Fields Form WordPress plugin (slug: calculated-fields-form) in versions up to and including 5.4.5.0. An attacker needs an authenticated WordPress account with Contributor-level access or higher to exploit it.

The attack is carried out by injecting malicious script into the plugin’s form settings, specifically through the fcontent field used within fhtml field types. Because the payload is stored, it can execute later when any user visits a page where the compromised form is displayed—potentially including marketing landing pages, lead capture forms, and other high-traffic conversion paths.

This is particularly relevant for organizations that allow multiple internal users, agencies, freelancers, or content contributors to publish or manage pages, because the vulnerability can be triggered without needing admin access.

Security Weakness

The root cause is a combination of insufficient capability checks in the handler that saves form settings and insufficient input sanitization for the fcontent field in fhtml field types. In practical terms, the plugin does not adequately prevent lower-privileged authenticated users (Contributor+) from saving dangerous script content into form settings.

This weakness enables stored (persistent) script injection—meaning the malicious content can remain embedded until discovered and removed, creating an ongoing risk rather than a one-time event.

Technical or Business Impacts

Because this is a Stored XSS issue, the impact often shows up as a business problem first: compromised site trust, lead integrity issues, and reputational damage. Executed scripts could be used to manipulate what visitors see on key pages, interfere with user sessions, or redirect traffic—especially harmful on paid-campaign landing pages and high-value forms.

From a governance and compliance standpoint, this risk increases if your WordPress workflow includes many non-admin users (contributors, editors, vendors). A malicious script running in a visitor’s browser can also undermine analytics accuracy, distort conversion attribution, and create uncertainty around whether leads collected during the exposure window are legitimate.

Remediation: Update Calculated Fields Form to version 5.4.5.1 or newer. You can reference the official CVE entry here: CVE-2026-3986. Additional details are available from the reporting source: Wordfence vulnerability advisory.

Similar Attacks

Stored XSS vulnerabilities in WordPress plugins have been repeatedly exploited to inject persistent scripts into pages, forms, and admin-facing views. Examples include:

CVE-2024-27956 (WordPress plugin XSS example)

CVE-2023-2745 (WordPress plugin stored XSS example)

CVE-2022-21661 (WordPress-related stored XSS example)