Vulnerability in Contact Form 7 Datepicker

High Severity Vulnerability Leads to Closure of Plugin with Over 100,000 Installations

On April 1, 2020, the Wordfence Threat Intelligence team discovered a stored Cross Site Scripting (XSS) vulnerability in Contact Form 7 Datepicker, a WordPress plugin installed on over 100,000 sites. As the plugin developer’s github page indicated that the plugin was no longer being maintained, we contacted the WordPress plugins team with our disclosure, and they immediately removed the plugin from the repository for review. We also contacted the plugin’s developer and received a response verifying that they had no plans to maintain it and were satisfied with removing the plugin from the repository.

All Wordfence users, including Wordfence free and Wordfence Premium users, are protected from this vulnerability by the Wordfence Firewall’s built-in XSS protection. Nonetheless, we strongly recommend deactivating and removing this plugin.

Description: Authenticated Stored Cross-Site Scripting(XSS)
Affected Plugin: Contact Form 7 Datepicker
Plugin Slug: contact-form-7-datepicker
Affected Versions: <= 2.6.0
CVE ID: Will be updated once identifier is supplied.
CVSS Score: 7.4(High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Fully Patched Version: N/A

The Contact Form 7 Datepicker plugin allows users to add a datepicker to forms generated by Contact Form 7, and it includes the ability to modify settings for these datepickers. In order to process these settings, it registered an AJAX action calling a function that failed to include a capability check or a nonce check. As such, it was possible for a logged-in attacker with minimal permissions, such as a subscriber, to send a crafted request containing malicious JavaScript which would be stored in the plugin’s settings.

The next time an authorized user created or modified a contact form, the stored JavaScript would be executed in their browser, which could be used to steal an administrator’s session or even create malicious administrative users.

What should I do?

Although all sites running the Wordfence Web Application Firewall should be protected against this vulnerability, we strongly recommend deactivating and removing the Contact Form 7 Datepicker plugin if it is installed on your site. If your site is running Wordfence, the scanner should alert you if any of your plugins are vulnerable, or have been removed from the WordPress repository. As the Contact Form 7 Datepicker plugin is no longer being maintained, it will likely not ever be patched, so it may be wise to search for an alternative plugin with similar functionality.

Due to the number of sites affected by this plugin’s closure, we are intentionally providing minimal details about this vulnerability to prevent widespread exploitation. We will continue to monitor the situation and provide more details in a future update.

Comments

Dropshipzone Australia API Integration with WooCommerce: A Game-Changer for Online Retailers

Introduction: The Power of Dropshipzone Australia API Integration with WooCommerce In the competitive world of e-commerce, efficiency and seamless operations are key to success. Dropshipzone Australia, a prominent player in the Australian online retail space, offers an API that integrates with WooCommerce, enabling store owners to automate and streamline their business processes. In this article, we’ll explore how leveraging Dropshipzone Australia API integration with WooCommerce can revolutionize your online store by simplifying product imports, inventory management, pricing strategies, and image optimization. Dropshipzone Australia API Integration with WooCommerce Why Dropshipzone Australia API Integration with WooCommerce Matters Managing an online store is no easy task. From keeping inventory up to date to ensuring that product details are accurate, store owners face numerous challenges daily. The Dropshipzone Australia API integration with WooCommerce addresses these pain...

Parasut Accounting & Invoicing integration with woocommerce

Parasut Accounting & Invoicing integration with woocommerce Parasut is a cloud-based finance management application for Small Business Owners in Turkey. Please use Paraşüt mobile application alongside the web application to benefit from all features. Paraşüt Accounting & Invoicing integration with woocommerce is useful for automation and fast process stop manual creating invoice will save time and efforts. Why e-Invoice with Parasut ? Manage your application processes with our e-invoice transition consultant. Switch to e-invoice within 30 minutes* without leaving your seat. Parasut Accounting & Invoicing integration with woocommerce Use it at Affordable Prices Get rid of fees such as integration and training fees. Send e-invoices with affordable e-top-up prices. Integrated Pre-Accounting When using e-document services with Paraşüt, manage your financial data from anywhere thanks to the features that will allow you to manage your preliminary accounting...

Batscrm api integration wordpress via custom form custom plugin

BATS is the only software you need to automate, streamline, manage & grow your transportation business. BATS takes performance to the next level with built-in features such as batch emails, inline editing and much more! Batscrm api integration wordpress via custom form custom plugin BATS gives you everything you need, upfront, to run your business more effectively while saving time and money in the process. Batscrm api integration wordpress via custom form custom plugin Why use Batscrm api integration wordpress AQua Pricing Engine Price your opportunities automatically or with the click of a button using our internally managed pricing engine eDoc - Electronic Signature BATS’ electronic signing platform allows you to capture signatures from customers as well as carriers, even if they’re not on Central Dispatch. Billing BATS’ powerful billing module captures & processes customers credit cards, manages commission payouts and manages all accounts receivables and payable...

lalit yadav

Search This Blog