Discontinued Wordpress Plugin Expose Site to Attacks

Cross-site scripting (XSS)vulnerability found in the Popular  WordPress Plugin Contact Form 7 DatePicker

Cross-site scripting (XSS)vulnerability found in the Popular  WordPress Plugin Contact Form 7 DatePicker, This bug is considered extremely serious. Datepicker which was made to be merge with Contact form 7 plugin ,have an Active installations of 5 million during the time of vulnerable was discovered.

Although WordPress removed the plugin from it dictionary , developer made it clear to Hackers Review that they had no plans of to maintain the plugin leaving over 5 million  active WordPress site at risk
The contact form 7 Datepicker plugin allows users to add a date to the forms created with the aid of contact form 7, and it consists of the ability to change these datepicker settings. It registered an AJAX movement calling a function that failed to include a functionality check or a nonce test as a way of handling certain settings. As such, a logged-in attacker with limited access, including a subscriber, was able to ship a designed request containing malicious JavaScript that could be saved within the settings of the plugin.

Security week explain this bug in a difiant
As such, a logged-in attacker with limited permissions, such as a subscriber, might submit a crafted request that contained malicious JavaScript that would be stored in the plugin settings

 It will result in the execution of stored JavaScript code in the browser when an authorized user creates or modifies a contact form. Hacker might use this to access an administrator's session or add their own administrative accounts.

Site admins are urged to disable and uninstall the Datepicker plugin Contact Form 7 and find alternative plugin that can provide similar features.

One Last thing The Contact Form 7 is not  vulnerable only the addon / intergrated on which is Datepicker Is.
Previous Post Next Post