With great power comes great responsibility. Recently a WordPress plugin with as many as 100,000 installations was taken down from WordPress plugin repository due to a severe vulnerability.
The Wordfence team found a severe vulnerability in Contact Form 7 Datepicker, a WordPress plugin allows to show datepicker in forms created with a very popular plugin Contact Form 7. Though the vulnerability does not affect Contact Form 7 but anyone with Contact Form 7 Datepicker on site, should immediately deactivate and uninstall the plugin from the site.
About the vulnerability
Contact Form 7 Datepicker allows you to add datepicker in the forms created by Contact Form 7. For the settings of the datepicker, the plugin uses AJAX action to call a function that fails to perform a nonce check.
If you do not know what nonce is, it is basically a token that WordPress generates to verify the request the source and block all the malicious requests. If developers do not verify nonce, the attackers can perform actions from other sources. In this particular case, an attacker can inject the malicious code into the form database and anytime an administrator edits that form, the malicious code would be executed in the admin browser. The code can perform any actions on behalf of the logged-in user including it can create another admin user with attacker’s given username and password.
We already have several XSS vulnerabilities in other plugins in the past. WordPress plugins definitely help site admins with a ton of problems but the plugin maintenance should also be taken seriously. Wordfence contacted the plugin developers to inform them about the vulnerability but they said they had stopped plugin development.
Uninstall Contact Form 7 Datepicker (Not Contact Form 7)
The developers are not going to fix the vulnerability. So all the users are advised to remove the plugin immediately. To stop any further installations, the WordPress team has stopped the plugin installations.
Also, this vulnerability does not affect Contact Form 7. So you can continue using Contact Form 7.
Original post @ Wordfence