Administrators of WordPress sites using the Contact Form 7 Datepicker plugin are recommended to remove or deactivate it to prevent attackers from exploiting a stored cross-site scripting (XSS) vulnerability to create rogue admins or taking over admin sessions.
The ‘Contact Form 7 Datepicker‘ is open-source software that allows adding a date field to the user interface of the Contact Form 7 WordPress plugin, which is a contact form management plugin currently used on over 5 million websites. The plugin was installed on more than 100k WordPress sites using the Contact Form 7 Datepicker plugin. The flaw was discovered by researchers from the Wordfence Threat Intelligence team.