The Contact Form 7 Datepicker was a handy plugin sometimes used to add a datepicker field in Contact Form 7 (CF7) forms. It has recently removed from the WordPress Plugin Directory due to a high severity security vulnerability.
This article explains why the Contact Form 7 Datepicker plugin was removed from the WordPress Plugin Directory & also recommends viable alternatives to this no longer available plugin.
Contact Form 7 Datepicker Vulnerability
Recently, a high severity security vulnerability was discovered in the Contact Form 7 Datepicker plugin by the Wordfence team.
The plugin included a stored Cross-Site Scripting (XSS) vulnerability in a feature to modify the settings for the date-pickers. To process the settings, it registered an AJAX call to a function that did not have a capability check or a nonce check. Therefore, it was possible for a logged-in user with minimal permissions to send a crafted request containing malicious JavaScript which would be stored in the plugin’s settings.
The next time an authorized user created or modified a form, the stored JavaScript was executed. Attackers could then use it to steal an administrator’s session or even create new malicious administrator users.
The plugin is no longer maintained by the developers who have reportedly advised they had no plans to fix this issue and were satisfied with removing the plugin from the repository. Therefore, the vulnerability may never be patched in the future.
As a result, we strongly recommend you to deactivate and remove the Contact Form 7 Datepicker plugin if you have installed it on your websites.
Our Recommended Alternatives to Contact Form 7 Datepicker
You can install any one of the following plugins to add improved Datepicker support in Contact Form 7:
WP Datepicker
WP Datepicker is a lightweight plugin which can display a date picker on any form field.
It is extremely easy to integrate with Contact Form 7 forms. You simply need to add a selector under Settings >> WP Datepicker.
Then, use the same selector in any text field of your Contact Form 7 forms where you want to display the date picker.
WP Datepicker provides features such as:
- option to change language
- enable date picker for the admin dashboard
- enable or disable weekend selection.
Tip: The wide range of free Contact Form 7 Extensions available can give users many of the functions available in some of the well-known premium form plugins.
Date Time Picker Field
Using Date Time Picker Field, you can easily add a date and time picker to your Contact Form 7 forms. You simply need to add a selector under Settings >> Date & Time Picker.
Then, use the same selector in any text field of your Contact Form 7 forms where you want to display the date picker.
Date Time Picker Field provides many features including:
- time picker as well as date picker
- display only the date picker or only the time picker
- 15 selectable date formats and 2 selectable time formats
- customizable time steps, offset for the available times
- customizable values for minimum and maximum dates and times.
Tip: The Date Time Picker Pro version lets you customize the settings for each datepicker field individually.
Our Preference
We recommend you to use Date Time Picker Field because:
- it provides time picker as well as date picker
- you can disable the time picker or date picker individually
- it includes 15 selectable date formats and 2 selectable time formats
- you can disable specific days, dates, and times as well.
Tip: The Date Time Picker Pro version also lets you customize the settings for each datepicker field individually.
Further reading
