The Contact Form 7 Datepicker plugin was removed from the WordPress plugin repository on April 1. The plugin is not impacted in any way by the XSS vulnerability found in the plugin. Owners of WordPress sites who use the plugin are urged to remove or deactivate it to prevent attackers from creating rogue admins or taking over admin sessions after exploiting an authenticated stored cross-site scripting (XSS) vulnerability. Developers behind the plugin say that the plugin will no longer be maintained and that they were OK with its removal from the plugin repository.
Source: https://www.bleepingcomputer.com/news/security/wordpress-plugin-bug-can-be-exploited-to-create-rogue-admins/