Skip to content
Users of Advanced Custom Fields plugin for WordPress are being asked to update version 6.1.6 after the discovery of a security defect.
This issue, given the identifier CVE-2023-30777, relates to a case of reflected ‘cross-site scripting’ (XSS) that could be used to inject ‘arbitrary executable scripts’ into otherwise ok websites.
The plugin, which is available both as a free & pro version, has over 2m active installations. The issue was discovered & reported to maintainers on May 2, 2023.
Unauthenticated User
“This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path,” Patchstack researcher Rafie Muhammad said.
Reflected XSS attacks normally occur when victims are tricked into clicking on a false link sent via email or by another route, causing the malicious code to be sent to the vulnerable website, which reflects the attack back to the user’s browser.
Reach & Scale
This element of social engineering means that reflected XSS does not have the same reach & scale as stored XSS attacks, prompting threat actors to distribute the malicious link to as many victims as possible.
“[A reflected XSS attack] is typically a result of incoming requests not being sufficiently sanitised, which allows for the manipulation of a web application’s functions & the activation of malicious scripts,” Imperva notes.
Advanced Custom Fields
Note that CVE-2023-30777 can be activated on a default installation or configuration of Advanced Custom Fields, although it is also possible to do this from logged-in users who have access to the plugin.
This comes as Craft CMS patched 2 medium-severity XSS flaws (CVE-2023-30177 & CVE-2023-31144) that could be exploited by a threat player to serve malicious payloads.
Hijack
It also follows the disclosure of another XSS flaw in the cPanel product (CVE-2023-29489, CVSS score: 6.1) that could be exploited without any authentication to run arbitrary JavaScript.
“An attacker can not only attack the management ports of cPanel but also the applications that are running on port 80 and 443,” Assetnote’s Shubham Shah said, adding it could enable an adversary to hijack a valid user’s cPanel session.
“Once acting on behalf of an authenticated user of cPanel, it is usually trivial to upload a web shell and gain command execution.” he concluded.
