Stored XSS in Contact Form 7 Datepicker Plugin through 2.6.0 for WordPress

Stored XSS in Contact Form 7 Datepicker Plugin through 2.6.0 for WordPress

CVE-2020-11516 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Stored XSS in the Contact Form 7 Datepicker plugin through 2.6.0 for WordPress allows authenticated attackers with minimal permissions to save arbitrary JavaScript to the plugin's settings via the unprotected wp_ajax_cf7dp_save_settings AJAX action and the ui_theme parameter. If an administrator creates or modifies a contact form, the JavaScript will be executed in their browser, which can then be used to create new administrative users or perform other actions using the administrator's session.

Learn more about our Wordpress Pen Testing.