A vulnerability in the “Advanced Custom Fields” plugin for WordPress is putting more than two million users at risk of cyberattacks, warns Patchstack researcher Rafie Muhammad. The Register reports: A warning from Patchstack about the flaw claimed there are more than two million active installs of the Advanced Custom Fields and Advanced Custom Fields Pro versions of the plugins, which are used to give site operators greater control of their content and data, such as edit screens and custom field data. Patchstack researcher Rafie Muhammad uncovered the vulnerability on February 5, and reported it to Advanced Custom Fields’ vendor Delicious Brains, which took over the software last year from developer Elliot Condon. On May 5, a month after a patched version of the plugins was released by Delicious Brains, Patchstack published details of the flaw. It’s recommended users update their plugin to at least version 6.1.6.

The flaw, tracked as CVE-2023-30777 and with a CVSS score of 6.1 out of 10 in severity, leaves sites vulnerable to reflected XSS attacks, which involve miscreants injecting malicious code into webpages. The code is then “reflected” back and executed within the browser of a visitor. Essentially, it allows someone to run JavaScript within another person’s view of a page, allowing the attacker to do things like steal information from the page, perform actions as the user, and so on. That’s a big problem if the visitor is a logged-in administrative user, as their account could be hijacked to take over the website.

“This vulnerability allows any unauthenticated user [to steal] sensitive information to, in this case, privilege escalation on the WordPress site by tricking the privileged user to visit the crafted URL path,” Patchstack wrote in its report. The outfit added that “this vulnerability could be triggered on a default installation or configuration of Advanced Custom Fields plugin. The XSS also could only be triggered from logged-in users that have access to the Advanced Custom Fields plugin.”

Leave a Reply

Your email address will not be published. Required fields are marked *