The Contact Form 7 Datepicker plugin has been removed from the WordPress repository following the discovery of a cross-scripting vulnerability. This plugin is apparently installed on some 100,000 WordPress websites. The Contact Form 7 Datepicker plugin allowed users to add a date picker to forms generated by Contact Form 7.
Please note that this does not relate to the Contact Form 7 Plugin, which is one of the most popular Form Plugins used on WordPress sites. The affected plugin was an additional feature offered by an independent plugin developer. This plugin is no longer supported and the developer has confirmed they do not intend to maintain it and are in agreement with it being removed entirely.
If your WordPress site has this plugin installed you should remove it and try to find an alternative solution to continue the facility this plugin offered. Failure to do so could result in your site being attacked.
According to Wordfence, who discovered and highlighted the vulnerability:-
WordFence added that “we are intentionally providing minimal details about this vulnerability to prevent widespread exploitation”.
If your site has Wordfence installed you should be automatically protected against cross-scripting attacks but removal of this plugin as soon as possible is still recommended.
If you need assistance with this or if you require help in protecting your website from any form of attack or have suffered hacking we are here to help. Please use the site contact form or chat feature for rapid assistance.