WordPress Plugin Bug Can Be Used to Create Rogue Admins

WordPress site owners who use the Contact Form 7 Datepicker plugin are forced to remove or deactivate it. In order to prevent attackers from creating rogue admins or taking over admin sessions after exploiting an authenticated cross-site scripting (XSS) vulnerability.

However, the Contact Form 7 plugin is completely safe. And it has not affected by the XSS vulnerability identified in Contact Form 7 Datepicker.

Plugin no longer available on WordPress Repository

This Contact Form 7 Datepicker plugin has been closed since 1 April 2020 and is not available for download. After Wordfence QA Engineer Ram Gall reported the XSS bug he found on the same day. The closure is temporary, pending a full review.

Moreover, the plugin had over 100k active installations which were captured by a Wayback machine.

If you have one of the 100k+ WordPress sites using the Contact Form 7 Datepicker plugin

The plugin development team said they’re okay with the removal of the plug-in from the WordPress repository. Also, they said they had no intention of fixing and maintaining the plugin.

Plugin Exploitation could lead to the spawning of rogue admins

The Contact Form 7 Datepicker plugin allows users to add a datepicker to the forms generated by Contact Form 7. And it includes the ability to modify the settings for these datepickers. In order to process these settings, AJAX registered an action calling a function that failed to include a capability check or a nonce check. As such, it was possible for a logged-in attacker with minimal permissions. To send a malicious JavaScript request that would be stored in the plugin settings.

The next time an authorized user had already created or modified a contact form, the JavaScript stored would be executed in their browser, which could be used to steal an administrator’s session or even to create malicious administrative users.

If you still have this plugin, we would strongly recommend that you remove it or deactivate it. As the developers have stated, this plugin will not be maintained any further. So, keeping this isn’t going to be a good decision. Also, try looking for an alternative plugin with similar features and which can meet your needs.

Did you find it useful? Please share it.

If you have any doubts, please let me know in the comment section below.

Subscribe to our YouTube channel for videos related to WordPress plugins and themes. Follow us on Facebook and Twitter for updates related to WordPress.

You may also like:

WordPress Security Issues vs the 10 Best Security Plugins

The Ultimate Guide to WordPress Image Optimization

2020-04-07T10:41:15+00:00

About the Author:

He is an enthusiastic writer and WordPress user. He writes on WordPress, WooCommerce, E-Commerce, and open-source projects.

Leave A Comment