WordPress Plugin Vulnerabilities

Contact Form 7 Datepicker <= 2.6.0 - Authenticated Stored Cross-Site Scripting (XSS)

Description

Contact Form 7 Datepicker registers an AJAX action to save settings which calls a function that fails to perform a capability check or nonce check. As such, a logged-in attacker with minimal permissions (such as a subscriber) can send a crafted request which will store a malicious JavaScript in the plugin's settings. The next time an authorized user created or modified a contact form, the stored JavaScript would be executed in their browser, which could be used to steal an administrator’s session or even create malicious administrative users.

Proof of Concept

The PoC will be displayed once the issue has been remediated

Affects Plugins

contact-form-7-datepicker

No known fix - plugin closed

References

CVE

CVE-2020-11516

URL

https://www.wordfence.com/blog/2020/04/high-severity-vulnerability-leads-to-closure-of-plugin-with-over-100000-installations/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

Ramuel Gall (Wordfence)

Submitter

Ramuel Gall

Verified

WPVDB ID

1cbfdc6a-e308-4a9e-b995-413e7d19ea04

Timeline

Publicly Published

2020-04-02 (about 2 years ago)

Added

2020-04-02 (about 2 years ago)

Last Updated

2020-09-22 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin