Vulnerability Details CVE-2020-11516
Stored XSS in the Contact Form 7 Datepicker plugin through 2.6.0 for WordPress allows authenticated attackers with minimal permissions to save arbitrary JavaScript to the plugin's settings via the unprotected wp_ajax_cf7dp_save_settings AJAX action and the ui_theme parameter. If an administrator creates or modifies a contact form, the JavaScript will be executed in their browser, which can then be used to create new administrative users or perform other actions using the administrator's session.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 48.4%
CVSS Severity
CVSS v3 Score 5.4
CVSS v2 Score 3.5
References
Products affected by CVE-2020-11516
-
cpe:2.3:a:contact-form-7-datepicker_project:contact-form-7-datepicker:-
-
cpe:2.3:a:contact-form-7-datepicker_project:contact-form-7-datepicker:2.6.0