April 2

High Severity Vulnerability Results in Closure of Plugin with More than 100,000 Installations

WordPress Vulnerabilities

0  comments

This post was originally published on this site

On April 1, 2020, the Wordfence Risk Intelligence group discovered the stored Cross Web site Scripting (XSS) vulnerability within Contact Form 7 Datepicker, a WordPress plugin installed in over 100,000 websites. As the plugin programmer’s github web page indicated that the plugin had been no longer getting maintained, we contacted the WordPress plugins group with our disclosure, plus they instantly removed the plugin from the repository for evaluation. We furthermore contacted the plugin’s programmer and received a reply verifying they had no programs to keep it and were content with removing the plugin from the repository.

All Wordfence customers, including Wordfence free of charge and Wordfence Premium customers, are protected out of this vulnerability by the Wordfence Firewall’s built-in XSS protection. Nevertheless, we strongly suggest deactivating and getting rid of this plugin.


The CONTACT PAGE 7 Datepicker plugin allows users to include a datepicker to forms generated by CONTACT PAGE 7, also it includes the opportunity to modify settings for these datepickers. To be able to process these configurations, it authorized an AJAX activity calling a functionality that didn’t add a capability check or perhaps a nonce check. Therefore, it was easy for a logged-in attacker with reduced permissions, like a subscriber, to deliver a crafted request that contains malicious JavaScript which may be kept in the plugin’s configurations.

The next time a certified user created or modified a contact page, the stored JavaScript will be executed within their browser, which could be utilized to steal an administrator’s session as well as create malicious administrative customers.

What must i do?

Although all sites operating the Wordfence Web Application Firewall ought to be protected from this vulnerability, we strongly suggest deactivating and removing the CONTACT PAGE 7 Datepicker plugin if it’s installed on your own site. If your website is working Wordfence, the scanner should alert you if all of your plugins are usually vulnerable, or have already been taken off the WordPress repository. Because the CONTACT PAGE 7 Datepicker plugin is not any longer being maintained, it’ll likely never be patched, so that it may be smart to lookup for an alternative solution plugin with similar efficiency.

Owing to the amount of sites suffering from this plugin’s closure, we have been intentionally providing minimal information regarding this vulnerability to avoid widespread exploitation. We shall continue to keep track of the problem and provide additional information in another update.

The post High Severity Vulnerability Results in Closure of Plugin with Over 100,000 Installations appeared first on Wordfence.

About the author 

WP Maintain Support Protect

You may also like

How exactly to Fix “ARE YOU CURRENTLY Sure You should do This?” Error within WordPress site

WordPress 5.4.2 Patches Several XSS Vulnerabilities

How to Prevent IP Addresses TO SAFEGUARD Your WordPress Site

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!