cleantalk
Vulnerabilities and Security Researches

Contact Form 7 IE DatePicker and Number Spinner Fix, CVE-2020-11516

CVE, Research URL

CVE-2020-11516

Home page URL

Security reports for Contact Form 7 IE DatePicker and Number Spinner Fix

Application

Contact Form 7 IE DatePicker and Number Spinner Fix

Published on
Apr 07, 2020
Research Description
Stored XSS in the Contact Form 7 Datepicker plugin through 2.6.0 for WordPress allows authenticated attackers with minimal permissions to save arbitrary JavaScript to the plugin's settings via the unprotected wp_ajax_cf7dp_save_settings AJAX action and the ui_theme parameter. If an administrator creates or modifies a contact form, the JavaScript will be executed in their browser, which can then be used to create new administrative users or perform other actions using the administrator's session.
Affected versions
max 2.6.0.
Status
vulnerable
Previous vulnerability researches
Contact Form 7 IE DatePicker and Number Spinner Fix (CVE-2020-11516) , Jun 07, 2024
New vulnerability
OOPSpam Anti-Spam (CVE-2026-32544) , Mar 31, 2026
NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor (CVE-2026-27042) , Mar 31, 2026
The Conference (CVE-2026-32335) , Mar 31, 2026
WP Booking System – Booking Calendar (CVE-2025-68515) , Mar 31, 2026
UPI QR Code Payment Gateway for WooCommerce (CVE-2025-67969) , Mar 31, 2026