CVE-2020-11516

Name of the Vulnerable Software and Affected Versions Contact Form 7 Datepicker plugin versions prior to 2.6.1

Description The issue allows authenticated attackers with minimal permissions to save arbitrary JavaScript to the plugin's settings via the unprotected wp ajax cf7dp save settings AJAX action and the ui theme parameter. If an administrator creates or modifies a contact form, the JavaScript will be executed in their browser, potentially leading to the creation of new administrative users or other actions using the administrator's session.

Recommendations For Contact Form 7 Datepicker plugin versions prior to 2.6.1, update to version 2.6.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the wp ajax cf7dp save settings AJAX action to prevent exploitation. Additionally, avoid using the ui theme parameter in the affected AJAX endpoint until the issue is resolved.