2 April 2020
Cross Site Scripting (XSS) vulnerability in Contact Form 7
On April 1, 2020, the Wordfence Threat Intelligence team discovered a stored Cross Site Scripting (XSS) vulnerability in Contact Form 7 Datepicker, a WordPress plugin installed on over 100,000 sites.
This plugin has been closed as of April 1, 2020 and is not available for download. This closure is temporary, pending a full review.
What should I do?
Anyone using this integration for Contact Form 7 is advised to remove the plugin until a full review has been conducted.
As is the case with all plugin’s which become neglected, they soon become open to attack and leave website owners vulnerable to hacks.