Contact Form 7 Datepicker Taken down from Wordpress Plugin Repository

With great power comes great responsibility. Recently WordPress team took down a WordPress plugin with as many as 100,000 installations from the WordPress plugin repository due to a severe vulnerability.

The Wordfence team found a severe vulnerability in Contact Form 7 Datepicker, a WordPress plugin that allows showing datepicker in forms created with a viral plugin Contact Form 7. Though the vulnerability does not affect Contact Form 7, anyone with Contact Form 7 Datepicker on-site should immediately deactivate and uninstall the plugin from the site.

About the vulnerability

Contact Form 7 Datepicker allows you to add datepicker in the forms created by Contact Form 7. For the settings of the datepicker, the plugin uses the AJAX action to call a function that fails to perform a nonce check.

If you do not know what nonce is, it is basically a token that WordPress generates to verify the source’s request and block all the malicious requests. If developers do not verify nonce, the attackers can perform actions from other sources. In this case, an attacker can inject the malicious code into the form database. An administrator edits that form; the malicious code would be executed in the admin browser. The code can perform any actions on behalf of the logged-in user, including creating another admin user with the attacker’s given username and password.

We already have several XSS vulnerabilities in other plugins in the past. WordPress plugins definitely help site admins with many problems, but we should also take the plugin maintenance seriously. Wordfence contacted the plugin developers to inform them about the vulnerability, but they said they had stopped plugin development.

Uninstall Contact Form 7 Datepicker (Not Contact Form 7)

The developers are not going to fix the vulnerability. So all the users are advised to remove the plugin immediately. To stop any further installations, the WordPress team has stopped the plugin installations.

Contact form removed from WordPress

Also, this vulnerability does not affect Contact Form 7. So you can continue using Contact Form 7.

Original post @ Wordfence