CVE-2024-12468 – The WP Datepicker WordPress plugin has a reflec... (How to Fix)

📋 TL;DR

The WP Datepicker WordPress plugin has a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts via the 'wpdp_get_selected_datepicker' parameter. This affects all WordPress sites using WP Datepicker versions 2.1.4 and earlier. Attackers can exploit this by tricking users into clicking specially crafted links.

💻 Affected Systems

Products:

WP Datepicker WordPress Plugin

Versions: All versions up to and including 2.1.4

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable plugin versions installed and activated.

📦 What is this software?

Wp Datepicker by Androidbubbles

View all CVEs affecting Wp Datepicker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or deliver malware payloads.

🟠

Likely Case

Session hijacking, credential theft, or redirection to phishing sites when users click malicious links.

🟢

If Mitigated

Limited impact if Content Security Policy is properly configured and users are trained to avoid suspicious links.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Reflected XSS vulnerabilities are commonly weaponized in phishing campaigns and require minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.5 or later

Vendor Advisory: https://wordpress.org/plugins/wp-datepicker/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find WP Datepicker plugin
4. Click 'Update Now' if update is available
5. Alternatively, download version 2.1.5+ from WordPress.org and manually replace files

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate WP Datepicker plugin until patched

wp plugin deactivate wp-datepicker

Implement Content Security Policy

all

Add CSP headers to restrict script execution

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self'";

🧯 If You Can't Patch

Implement web application firewall rules to block malicious parameter values
Monitor for suspicious URL patterns containing wpdp_get_selected_datepicker parameter

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for WP Datepicker version ≤2.1.4

Check Version:

wp plugin get wp-datepicker --field=version

Verify Fix Applied:

Confirm WP Datepicker version is 2.1.5 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing 'wpdp_get_selected_datepicker' parameter with script tags or JavaScript code
Unusual referrer headers with encoded script payloads

Network Indicators:

URLs with wpdp_get_selected_datepicker parameter containing script tags or JavaScript

SIEM Query:

web.url:*wpdp_get_selected_datepicker* AND (web.url:*<script* OR web.url:*javascript:* OR web.url:*onload=* OR web.url:*onerror=*)

📊 Metadata

CVE ID: CVE-2024-12468

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: December 24, 2024

Last Updated: March 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12468, you might also want to check these: