The Contact Form 7 Datepicker plugin has been removed from the WordPress repository following the discovery of a cross-scripting vulnerability. This plugin is apparently installed on some 100,000 WordPress websites. The Contact Form 7 Datepicker plugin allowed users to add a date picker to forms generated by Contact Form 7.
Please note that this does not relate to the Contact Form 7 Plugin, which is one of the most popular Form Plugins used on WordPress sites. The affected plugin was an additional feature offered by an independent plugin developer. This plugin is no longer supported and the developer has confirmed they do not intend to maintain it and are in agreement with it being removed entirely.
If your WordPress site has this plugin installed you should remove it and try to find an alternative solution to continue the facility this plugin offered. Failure to do so could result in your site being attacked.
According to Wordfence, who discovered and highlighted the vulnerability:-
“A logged-in attacker with minimal permissions, such as a subscriber, could send a crafted request containing malicious JavaScript which would be stored in the plugin’s settings. The next time an authorized user created or modified a contact form, the stored JavaScript would be executed in their browser, which could be used to steal an administrator’s session or even create malicious administrative users.”
WordFence added that “we are intentionally providing minimal details about this vulnerability to prevent widespread exploitation”.
If your site has Wordfence installed you should be automatically protected against cross-scripting attacks but removal of this plugin as soon as possible is still recommended.
If you need assistance with this or if you require help in protecting your website from any form of attack or have suffered hacking we are here to help. Please use the site contact form or chat feature for rapid assistance.