2 Million Websites at Risk Due to Vulnerability in Popular WordPress Plugin
Users of the Advanced Custom Fields plugin for WordPress are urged to update to version 6.1.6 after discovering a security flaw.
The plugin, which has free and pro versions, is active on over two million websites installation. The vulnerability was identified and reported to the plugin maintainers on May 2, 2023.
A reflected cross-site scripting (XSS) vulnerability, identified as CVE-2023-30777, has been found in the plugin. This vulnerability could allow attackers to inject arbitrary executable scripts into legitimate websites.
Patchstack researcher Rafie Muhammad says“This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path.”
Allow us to explain the Reflected XSS attack, XSS known as Cross-Site Scripting is a legitimate technique that allows the hacker or attacker to inject malicious code into the user’s browser. Reflected XSS attacks are a type of cross-site scripting attack that occurs when attackers trick users into clicking on a malicious link, which sends the injected code to a vulnerable website. The website then reflects the code back to the user’s browser, which can execute the code and cause harm. Since this type of attack requires social engineering to convince users to click on a malicious link, it may not have the same level of reach as stored XSS attacks, which can impact a large number of users without user interaction.
The vulnerability identified as CVE-2023-30777 can be triggered on a standard installation or configuration of Advanced Custom Fields, but only by logged-in users with plugin access. In related news, Craft CMS recently addressed two medium-severity XSS vulnerabilities, known as CVE-2023-30177 and CVE-2023-31144, which could also be used to deliver malicious payloads.
I apologize if my previous response changed the meaning of the original statement. Here’s a revised version: