On April 1, 2020, the Wordfence Risk Intelligence group discovered the stored Cross Web site Scripting (XSS) vulnerability within Contact Form 7 Datepicker, a WordPress plugin installed in over 100,000 websites. As the plugin programmer’s github web page indicated that the plugin had been no longer getting maintained, we contacted the WordPress plugins group with our disclosure, plus they instantly removed the plugin from the repository for evaluation. We furthermore contacted the plugin’s programmer and received a reply verifying they had no programs to keep it and were content with removing the plugin from the repository.
All Wordfence customers, including Wordfence free of charge and Wordfence Premium customers, are protected out of this vulnerability by the Wordfence Firewall’s built-in XSS protection. Nevertheless, we strongly suggest deactivating and getting rid of this plugin.
Affected Plugin: Contact Form 7 Datepicker
Plugin Slug: contact-form-7-datepicker
Affected Versions: <= 2.6.0
CVE ID: Will undoubtedly be updated once identifier comes.
CVSS Rating: 7.4(Higher)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/The:L
Fully Patched Version: N/A
What must i do?
Although all sites operating the Wordfence Web Application Firewall ought to be protected from this vulnerability, we strongly suggest deactivating and removing the CONTACT PAGE 7 Datepicker plugin if it’s installed on your own site. If your website is working Wordfence, the scanner should alert you if all of your plugins are usually vulnerable, or have already been taken off the WordPress repository. Because the CONTACT PAGE 7 Datepicker plugin is not any longer being maintained, it’ll likely never be patched, so that it may be smart to lookup for an alternative solution plugin with similar efficiency.
Owing to the amount of sites suffering from this plugin’s closure, we have been intentionally providing minimal information regarding this vulnerability to avoid widespread exploitation. We shall continue to keep track of the problem and provide additional information in another update.
The post High Severity Vulnerability Results in Closure of Plugin with Over 100,000 Installations appeared first on Wordfence.