WordPress Plugin Flaw Exposes 10k+ Websites to Cyber Attacks

A critical vulnerability in the WP Datepicker WordPress plugin was identified, affecting over 10,000 active installations. 

This Arbitrary Options Update vulnerability (CVE-2024-3895) has been assigned a CVSS score of 8.8, indicating a high severity level.

CVE-2024-3895: Arbitrary Options Update Vulnerability in WP Datepicker Plugin

This vulnerability could be exploited by authenticated attackers with subscriber-level access and above to update arbitrary options, which can be easily leveraged for privilege escalation.

Such an attack could allow threat actors to create administrator accounts, posing a significant risk to affected websites.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

The vulnerability was found in the WP Datepicker plugin, a widely used tool for managing date and time inputs in WordPress forms. The flaw, which existed in versions 2.1.0 and earlier, has been fully addressed in version 2.1.1.

The source code has been reformatted for better readability, causing the line numbers to be different:

function wpdp_add_new_datepicker_ajax(){

   global $wpdp_premium_link, $wpdp_dir, $wpdp_url, $wpdp_pro, $wpdp_data, $wpdp_options, $wpdp_styles, $wpdp_gen_file;

   if(isset($_POST['wpdp_add_new_datepicker']) || isset($_POST['wpdp_get_selected_datepicker']) || isset($_POST['wpdp_form_data'])){

        if (

           ! isset( $_POST['wpdp_nonce_action_field'] )

           || ! wp_verify_nonce( $_POST['wpdp_nonce_action_field'], 'wpdp_nonce_action' )

        ) {

           print __('Sorry, your nonce did not verify.', 'wp-datepicker');


Bounty Program:

The researcher who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program, Lucio Sá, was awarded a bounty of $493.00 for their discovery during the Bug Bounty Program Extravaganza.

Wordfence is running a Bug Bounty Extravaganza, offering increased bounty rates for vulnerabilities submitted through May 27th, 2024.

The Wordfence firewall rule detects the malicious AJAX action and blocks the request if it does not come from an existing authorized administrator.

To protect against exploits targeting this vulnerability, WordPress users are strongly encouraged to verify that their sites are updated to the latest patched version of WP Datepicker (2.1.1 or higher).

In April, Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against exploits targeting this vulnerability.

Free Webinar: Mastering Web Application and API Protection/WAF ROI Analysis -  Book Your Spot