New Vulnerability in Popular WordPress Plugin Exposes Over 2 Million Sites to Cyberattacks

Users of Advanced Custom Fields plugin for WordPress are being urged to update version 6.1.6 following the discovery of a security flaw.

The issue, assigned the identifier CVE-2023-30777, relates to a case of reflected cross-site scripting (XSS) that could be abused to inject arbitrary executable scripts into otherwise benign websites.

The plugin, which is available both as a free and pro version, has over two million active installations. The issue was discovered and reported to the maintainers on May 2, 2023.

“This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path,” Patchstack researcher Rafie Muhammad said.

Reflected XSS attacks usually occur when victims are tricked into clicking on a bogus link sent via email or another route, causing the malicious code to be sent to the vulnerable website, which reflects the attack back to the user’s browser.

This element of social engineering means that reflected XSS does not have the same reach and scale as stored XSS attacks, prompting threat actors to distribute the malicious link to as many victims as possible.

“[A reflected XSS attack] is typically a result of incoming requests not being sufficiently sanitized, which allows for the manipulation of a web application’s functions and the activation of malicious scripts,” Imperva notes.

It’s worth noting that CVE-2023-30777 can be activated on a default installation or configuration of Advanced Custom Fields, although it’s also possible to do so from logged-in users who have access to the plugin.

The development comes as Craft CMS patched two medium-severity XSS flaws (CVE-2023-30177 and CVE-2023-31144) that could be exploited by a threat actor to serve malicious payloads.

It also follows the disclosure of another XSS flaw in the cPanel product (CVE-2023-29489, CVSS score: 6.1) that could be exploited without any authentication to run arbitrary JavaScript.

“An attacker can not only attack the management ports of cPanel but also the applications that are running on port 80 and 443,” Assetnote’s Shubham Shah said, adding it could enable an adversary to hijack a valid user’s cPanel session.

“Once acting on behalf of an authenticated user of cPanel, it is usually trivial to upload a web shell and gain command execution.”

CVE-2023-30777 Comes Under Active Exploitation

Threat actors are actively exploiting the cross-site scripting (XSS) flaw in the WordPress Advanced Custom Fields plugin as part of an indiscriminate scanning activity, web security company Akamai disclosed in a report published last week.

The attacks started “within 24 hours of the exploit PoC being made public,” the company noted, adding the threat actor copied and reused the sample code released by Patchstack earlier this month.

“The rate of exploitation of emerging and recently disclosed vulnerabilities remains high — and is getting faster,” Akamai’s Ryan Barnett said. “Patch management is a critical part of an organization’s security and risk-reduction strategy.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.