Vulnerability Discovered in Contact Form 7 Datepicker <= 2.6.0
https://www.wordfence.comContact Form 7 Datepicker WordPress plugin has 100,000+ active installations and can be used to add a datepicker to forms generated by Contact Form 7, and it includes the ability to modify settings for these datepickers. In versions <= 2.6.0, there is a vulnerability that allows attackers with minimal permissions, such as a subscriber, to send a crafted request containing malicious JavaScript which would be stored in the pluginโs settings.
The plugin developers are no longer maintaining it and WordPress has removed it from the WordPress Plugin Repo. If your site has this plugin, it’s best you remove it ASAP.