Contact Form 7 Datepicker registers an AJAX action to save settings which calls a function that fails to perform a capability check or nonce check. As such, a logged-in attacker with minimal permissions (such as a subscriber) can send a crafted request which will store a malicious JavaScript in the pluginβs settings. The next time an authorized user created or modified a contact form, the stored JavaScript would be executed in their browser, which could be used to steal an administratorβs session or even create malicious administrative users.
The PoC will be displayed once the issue has been remediated
CPE | Name | Operator | Version |
---|---|---|---|
contact-form-7-datepicker | eq | * |