HQ/EMEAFind out how we can help your business
Recent research unveiled a vulnerability within the Advanced Custom Fields and Advanced Custom Fields Pro WordPress plugins. Based on the report, the WordPress plugin bugs could expose millions of websites to cross-site scripting attacks (XSS).
Moreover, the earlier-mentioned plugins are among WordPress’s most installed field builders, with about two million active installs on websites globally. Researchers discovered the high severity reflected XSS flaw earlier this month and labelled the vulnerability CVE-2023-30777.
XSS vulnerabilities commonly enable threat actors to inject compromised scripts on sites viewed by network traffic, initiating code on the visitor’s web browser. In addition, the analysis revealed that the XSS vulnerability could let an unauthorised individual harvest data and acquire escalated privileges on an infected WordPress website.
The flaw on the WordPress plugin could initiate through a default installation.
Further analysis showed that the WordPress plugin flaw could trigger its default configuration or installation. However, the XSS could only activate from logged-in users with access to the custom plugin.
This detail indicates that unauthenticated attackers could still have a chance of hijacking a user through social engineering tactics with access to the plugin and visiting a malicious URL to initiate a flaw.
Concerned individuals have notified the plugin’s developer about the issue and released a patch to address the situation.
The critical vulnerability came from the admin_body_class function handler, which fails to correctly filter the output value of a hook that takes over and sanitises the CSS classes for the main body tag in the administrator location of WordPress websites.
In addition, a threat actor could abuse an unsecured direct code concatenation on the WordPress plugin’s code, specifically through a variable, to include infectious code in its component that could pass the final product, a class string.
The filtering function of the flawed plugin will not obstruct the campaign because it will not identify the malicious code injection. Therefore, all users who have installed the two plugins mentioned earlier in this article should update to version 6.1.6 or later soon to prevent such exploits.
