– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-25368:
The Calculated Fields Form plugin for WordPress, versions up to and including 5.4.4.1, contains a missing authorization vulnerability. This flaw allows authenticated attackers with contributor-level permissions or higher to perform an unauthorized action, specifically to read arbitrary data from the `$_SESSION` and `$_COOKIE` superglobal arrays. The CVSS score of 4.3 reflects a medium severity issue.

The root cause is an insufficient capability check in the `cpcff_get_variable` function, which handles the `[CP_CALCULATED_FIELDS_VAR]` shortcode. The vulnerable code path is in the file `/calculated-fields-form/inc/cpcff_main.inc.php` between lines 870 and 890. The function processes the `from` attribute to determine which superglobal array to read from. The original code allowed the `from` parameter to specify `_SESSION` or `_COOKIE`, and subsequently read data from those arrays without verifying if the current user had the right to access that data.

An attacker can exploit this by crafting a post or page containing the malicious shortcode `[CP_CALCULATED_FIELDS_VAR var=”target_variable” from=”_SESSION”]`. As a contributor, the attacker can publish this post. When the post is viewed, the plugin executes the shortcode handler, reading the value of the specified variable from the visitor’s session or cookie data and outputting it as a JSON-encoded string within the page content. This results in the exposure of that data to the attacker.

The patch in version 5.4.4.2 modifies the `cpcff_get_variable` function in `/calculated-fields-form/inc/cpcff_main.inc.php`. It removes `_SESSION` and `_COOKIE` from the allowed values for the `from` attribute array on line 873. The patch also removes the corresponding fallback logic that directly accessed `$_SESSION` and `$_COOKIE` on lines 883-886. After the patch, the function can only read data from `_POST` or `_GET` superglobals, which are inherently user-supplied and transient, thereby eliminating the unauthorized data leak from server-side session stores or client cookies.

Successful exploitation leads to information disclosure. An attacker can extract sensitive data stored in a user’s PHP session, which may include authentication tokens, user identifiers, or other temporary application state. Accessing `$_COOKIE` data could expose persistent identifiers or other client-stored information. This vulnerability does not directly allow privilege escalation or remote code execution, but the leaked session data could facilitate other attacks like session hijacking.