CVE-2020-11516

Published: Apr 7, 2020

Modified: Aug 4, 2024

PUBLISHED

Description

Stored XSS in the Contact Form 7 Datepicker plugin through 2.6.0 for WordPress allows authenticated attackers with minimal permissions to save arbitrary JavaScript to the plugin's settings via the unprotected wp_ajax_cf7dp_save_settings AJAX action and the ui_theme parameter. If an administrator creates or modifies a contact form, the JavaScript will be executed in their browser, which can then be used to create new administrative users or perform other actions using the administrator's session.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://www.wordfence.com/blog/2020/04/high-severity-vulnerability-leads-to-closure-of-plugin-with-over-100000-installations/

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2020-11516

Description

Affected Products

References