Top
image credit: Pixabay

100,000 WordPress sites using the Contact Form 7 Datepicker plugin are exposed to hack

April 3, 2020

Administrators of WordPress sites using the Contact Form 7 Datepicker plugin are recommended to remove or deactivate it to prevent attackers from exploiting a stored cross-site scripting (XSS) vulnerability to create rogue admins or taking over admin sessions.

The ‘Contact Form 7 Datepicker‘ is open-source software that allows adding a date field to the user interface of the Contact Form 7 WordPress plugin, which is a contact form management plugin currently used on over 5 million websites. The plugin was installed on more than 100k WordPress sites using the Contact Form 7 Datepicker plugin. The flaw was discovered by researchers from the Wordfence Threat Intelligence team.

Read More on Security Affairs