CVE-2020-11516: 
WordPress vulnerability analysis and mitigation

The Contact Form 7 Datepicker WordPress plugin through version 2.6.0 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2020-11516. The vulnerability was discovered and disclosed on April 1, 2020. This security issue affects over 100,000 WordPress installations that use the Contact Form 7 Datepicker plugin (Wordfence).

The vulnerability stems from an unprotected AJAX action 'wp_ajax_cf7dp_save_settings' that lacks proper capability checks and nonce verification. The vulnerability allows attackers to inject malicious JavaScript through the ui_theme parameter in the plugin's settings. The severity is rated as CVSS v3.1 Base Score: 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, the vulnerability allows stored JavaScript to be executed in an administrator's browser when they create or modify a contact form. This can lead to the creation of unauthorized administrative users or other malicious actions performed using the administrator's session privileges (WPScan).

No official fix has been released for this vulnerability as the plugin has been closed. The recommended mitigation is to completely remove the Contact Form 7 Datepicker plugin from WordPress installations and find alternative solutions (Wordfence).