Website security and monitoring platform Patchstack has recently disclosed a significant vulnerability in Advanced Custom Fields, a popular WordPress plugin. The flaw was made public on May 5 and came equipped with a Proof of Concept (PoC) exploit, highlighting the severity of the issue.
The vulnerability, tracked as CVE-2023-30777, is a critical reflected cross-site scripting (XSS) flaw that lets unauthenticated attackers steal sensitive data and elevate their user privileges on vulnerable WordPress sites.
“This plugin suffers from reflected XSS vulnerability,” reads Patchstack’s security advisory. “This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking privileged user to visit the crafted URL path. The described vulnerability was fixed in version 6.1.6, also fixed in version 5.12.6 and assigned CVE-2023-30777.”
A flurry of hacking attempts have hit the plugin since the PoC was published. Cybersecurity experts advise website administrators using the plugin to take immediate measures to mitigate risks.
The WordPress Advanced Custom Fields plugin is widely used, allowing website administrators to easily customize WordPress sites. This widespread usage makes the CVE-2023-30777 vulnerability a significant concern.
Threat actors exploiting this vulnerability could access a vast amount of sensitive data. Within hours of the PoC’s release, cybercriminals were reported to have started exploiting the flaw. This rapid response highlights the urgent need for action from website administrators, which must remain vigilant and ensure their plugins are up-to-date and secure.
This is the second time in a week that Patchstack has disclosed a critical vulnerability affecting a popular WordPress plugin. The previous shortcoming affected Essential Addons for Elementor and enabled attackers to hijack WordPress sites, putting over a million WordPress websites at risk.
The discovery of two significant vulnerabilities in quick succession underscores the pressing need for amplified security protocols within the WordPress ecosystem. This situation illuminates the enduring and ever-changing threats permeating today's digital environment.
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsNovember 14, 2024
September 06, 2024