Attack Vectors

CVE-2026-25368 affects the WordPress plugin Calculated Fields Form (slug: calculated-fields-form) in versions up to and including 5.4.4.1. This is a Medium severity issue (CVSS 4.3, vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

The primary attack vector is an authenticated user with contributor-level access or higher. In practical terms, this can include a legitimate internal user, a contractor account, or an account taken over through password reuse, phishing, or credential stuffing. Because no user interaction is required (UI:N), a compromised low-privilege account can be used to attempt the unauthorized action quickly and repeatedly.

Security Weakness

The vulnerability is described as a missing authorization (capability) check on a function in Calculated Fields Form. When capability checks are missing, WordPress may not correctly enforce “who is allowed to do what,” allowing users with lower roles to perform actions intended only for administrators or other trusted roles.

According to the published advisory, this weakness enables authenticated attackers (contributors and above) to perform an unauthorized action. The public summary does not specify the exact action, so risk should be assessed under the assumption that it could affect site configuration or form-related settings and content in ways that impact business operations.

Reference: CVE-2026-25368 and Wordfence’s vulnerability entry: Wordfence Threat Intel.

Technical or Business Impacts

Even at Medium severity, missing authorization issues can create meaningful business risk because they undermine role-based governance. If contributors (or compromised contributor accounts) can perform actions beyond their intended permissions, it can lead to unauthorized changes that impact brand trust and marketing operations.

Potential impacts include unauthorized modification of form behavior or site content (integrity impact is rated Low in the CVSS vector: I:L). For marketing teams, this can translate to disrupted lead capture, altered form logic, broken campaign attribution, or collection of incorrect customer data—resulting in lost revenue opportunities and increased operational overhead to investigate and repair.

For compliance and risk teams, the main concern is governance: when least-privilege controls are bypassed, it becomes harder to demonstrate appropriate access controls and change management—especially if multiple users have contributor access across departments or agencies.

Remediation note: the advisory indicates no known patch is available. Organizations should decide on mitigations based on risk tolerance, including removing/uninstalling Calculated Fields Form and replacing it, tightening who has contributor (and above) access, and increasing monitoring for unexpected administrative or configuration changes related to forms.

Similar Attacks

Authorization and plugin-level access control issues are a recurring theme in WordPress security. While the details differ, the following real-world examples show how plugin vulnerabilities can be leveraged to perform actions attackers should not be able to perform:

CVE-2020-25213 (WP File Manager)
CVE-2020-8510 (ThemeGrill Demo Importer)
CVE-2014-9734 (Slider Revolution)