If you use a plugin called Contact Form 7 Datapicker on your WordPress website, you should immediately deactivate and remove it.

This problem plugin is different from the popular plugin, Contact Form 7 which is not a risk.

Just yesterday, a Cross Site Scripting (XSS) vulnerability was discovered in the Contact Form 7 Datapicker plugin. According to Portswigger Web Security, XSS allows “an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user’s data.”

This means the problem plugin can allow an attacker to place malicious code on the website where the plugin is installed. When a user visits the site, the code allows the attacker to impersonate the user – reading any data or carrying out any action the user could see and do, capturing their username and password, defacing the website or even adding malware.

At lowest risk are websites where all the content is public and users don’t have to log in. At higher risk are websites containing sensitive data, such as personal, healthcare and/or banking information. If the compromised user has administrative privileges, the attacker can take full control of the website and any data stored there.

The developers of the plugin are no longer maintaining it so it’s best to deactivate and remove it.

To learn more, go to this Wordfence post.

You can also download a copy of the Wordfence plugin on that site. Both the free and premium versions have built-in XSS protection.