WordPress Plugin Bug Can Be Exploited to Create Rogue Admins

Owners of WordPress sites who use the Contact Form 7 Datepicker plugin are urged to remove or deactivate it to prevent attackers from creating rogue admins or taking over admin sessions after exploiting an authenticated stored cross-site scripting (XSS) vulnerability.

Contact Form 7 Datepicker is a no longer maintained plugin designed to integrate with and to add a date field to the user interface of the Contact Form 7 WordPress plugin, a contact form management plugin installed on over 5 million websites.

However, Contact Form 7 is not impacted in any way by the XSS vulnerability found in Contact Form 7 Datepicker, therefore, the millions of sites currently using it are safe.

Plugin removed from repository

Contact Form 7 Datepicker's was removed from the WordPress plugin repository by the WordPress plugins team on April 1, after Defiant/Wordfence QA Engineer Ram Gall reported the XSS bug he found the same day.

The development team behind the plugin said that the plugin will no longer be maintained and that they were OK with its removal from the WordPress repository.

However, before its removal, the WordPress plugin had more than 100,000 active installations as shown by a page snapshot captured by the Wayback Machine in January.

We kept this one a little light on detail until people have time to get this deactivated (since it's probably not getting patched). https://t.co/QLTPvFrX2M

— Ram bam bo bam banana fo fam (@ramuelgall) April 2, 2020

Exploitation could lead to rogue admins being spawned

The Contact Form 7 Datepicker plugin makes it "possible for a logged-in attacker with minimal permissions, such as a subscriber, to send a crafted request containing malicious JavaScript which would be stored in the plugin’s settings," Gall explained.

"The next time an authorized user created or modified a contact form, the stored JavaScript would be executed in their browser, which could be used to steal an administrator’s session or even create malicious administrative users."

All Contact Form 7 Datepicker are urged to immediately remove or deactivate the plugin from all sites it is installed on.

Moreover, given that its developers have abandoned it, a fix for the vulnerability will most likely never be available which means that you should look for an alternative if you use it on your website.