Security News > 2020 > April > Unpatched Flaw in Discontinued Plugin Exposes WordPress Sites to Attacks
A stored cross-site scripting vulnerability in the Contact Form 7 Datepicker WordPress plugin will not receive a patch, leaving websites exposed to attacks, WordPress security firm Defiant reports.
The plugin, designed to integrate with the Contact Form 7 contact form management plugin, had over 100,000 installations when the vulnerability was discovered.
The WordPress plugin's team has already removed Contact Form 7 Datepicker from the repository for review.
Contact Form 7 Datepicker was designed to help users add a datepicker to forms generated by Contact Form 7, and also features the ability to modify settings for these datepickers.
Site admins are advised to deactivate and remove the Contact Form 7 Datepicker plugin and find an alternative plugin that can provide similar functionality.