Security researchers warn that the 'Advanced Custom Fields' and 'Advanced Custom Fields Pro' WordPress plugins, which have millions of installs, are vulnerable to cross-site scripting attacks (XSS).
The two plugins are among WordPress's most popular custom field builders, with over 2,000,000 active installs on sites worldwide. Patchstack researcher Rafie Muhammad identified the high-severity reflected XSS vulnerability on May 2, 2023, which was assigned the identifier CVE-2023-30777.
In general, XSS issues allow attackers to insert malicious scripts on websites visited by others, leading to the execution of code on the visitor's web browser.
According to Patchstack, the XSS bug might allow an unauthenticated attacker to steal sensitive information and elevate their privileges on a WordPress site that has been compromised. "Note that this vulnerability could be triggered on a default installation or configuration of the Advanced Custom Fields plugin," Patchstack explains in the alert.
"The XSS could also only be triggered by logged-in users with Advanced Custom Fields plugin access." This implies that an unauthenticated attacker would still have to social engineer someone with plugin access to visit a malicious URL in order to exploit the bug.
After Patchstack discovered the problem, the plugin's creator issued a security upgrade to version 6.1.6 on May 4, 2023.
About The XSS Flaw:
The 'admin_body_class' function handler failed to properly sanitize the output value of a hook that controls and filters the CSS classes (design and layout) for the main body element in the admin area of WordPress sites, resulting in the CVE-2023-30777 security flaw.
An attacker can use an unsafe direct code concatenation on the plugin's code, notably the '$this→view' variable, to inject malicious code (DOM XSS payloads) into its components, which will be sent to the final product, a class string.
The plugin's cleaning function, 'sanitize_text_field,' will not stop the attack because it will not detect the malicious code injection.
The issue was fixed in version 6.1.6 by introducing a new method called 'esc_attr' that appropriately sanitizes the output value of the admin_body_class hook, preventing XSS.
All 'Advanced Custom Fields' and 'Advanced Custom Fields Pro' users are encouraged to upgrade to version 6.1.6 or later as soon as possible. According to WordPress.org download statistics, 72.1% of the plugin's users still use older versions vulnerable to XSS and other known vulnerabilities.
Please do not enter any spam link in the comment box.