Contact Form 7 Datepicker <= 2.6.0 – Authenticated Stored Cross-Site Scripting (XSS) | CVE 2020-11516

Description

Contact Form 7 Datepicker registers an AJAX action to save settings which calls a function that fails to perform a capability check or nonce check. As such, a logged-in attacker with minimal permissions (such as a subscriber) can send a crafted request which will store a malicious JavaScript in the plugin's settings. The next time an authorized user created or modified a contact form, the stored JavaScript would be executed in their browser, which could be used to steal an administrator’s session or even create malicious administrative users.

Proof of Concept

The PoC will be displayed once the issue has been remediated.

Affects Plugins

contact-form-7-datepicker

No known fix

References

CVE

CVE-2020-11516

URL

https://www.wordfence.com/blog/2020/04/high-severity-vulnerability-leads-to-closure-of-plugin-with-over-100000-installations/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

5.4 (medium)

Miscellaneous

Original Researcher

Ramuel Gall (Wordfence)

Submitter

Ramuel Gall

Verified

WPVDB ID

1cbfdc6a-e308-4a9e-b995-413e7d19ea04

Timeline

Publicly Published

2020-04-02 (about 5 years ago)

Added

2020-04-02 (about 5 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2025-04-01

Title

Awesome Event Booking < 2.8.5 - Reflected Cross-Site Scripting

Published

2021-05-17

Title

WP Prayer < 1.6.2 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2025-01-03

Title

Order Audit Log for WooCommerce <= 2.0 - Reflected Cross-Site Scripting

Published

2025-04-17

Title

WPAMS <= 44.0 (17-08-2023) - Unauthenticated Stored Cross-Site Scripting

Published

2024-09-09

Title

Nova Blocks by Pixelgrade < 2.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute