WordPress site owners who use the Contact Form 7 Datepicker plugin are forced to remove or deactivate it. In order to prevent attackers from creating rogue admins or taking over admin sessions after exploiting an authenticated cross-site scripting (XSS) vulnerability.
However, the Contact Form 7 plugin is completely safe. And it has not affected by the XSS vulnerability identified in Contact Form 7 Datepicker.
Plugin no longer available on WordPress Repository
This Contact Form 7 Datepicker plugin has been closed since 1 April 2020 and is not available for download. After Wordfence QA Engineer Ram Gall reported the XSS bug he found on the same day. The closure is temporary, pending a full review.
Moreover, the plugin had over 100k active installations which were captured by a Wayback machine.
The plugin development team said they’re okay with the removal of the plug-in from the WordPress repository. Also, they said they had no intention of fixing and maintaining the plugin.
Plugin Exploitation could lead to the spawning of rogue admins
If you still have this plugin, we would strongly recommend that you remove it or deactivate it. As the developers have stated, this plugin will not be maintained any further. So, keeping this isn’t going to be a good decision. Also, try looking for an alternative plugin with similar features and which can meet your needs.
Did you find it useful? Please share it.
If you have any doubts, please let me know in the comment section below.
You may also like: