Skip to main content

A new WordPress bug may have left 2 million sites vulnerable

A flaw in two WordPress custom plug-ins leaves users vulnerable to cross-site scripting attacks (XSS), according to a recent report.

Patchstack researcher Rafie Muhammad recently discovered an XSS flaw in the Advanced Custom Fields and Advanced Custom Fields Pro plug-ins, which are actively installed by over 2 million users worldwide, according to Bleeping Computer.

The flaw, called CVE-2023-30777 was discovered on May 2 and was given a high-severity prominence. The plug-ins’ developer, WP Engine, quickly provided a security update, version 6.1.6, within days of learning about the vulnerability,on May 4.

The popular custom field builders allow users to have full control of their content management system from the back end, with WordPress edit screens, custom field data, and other features.

However, XSS bugs can be seen in a front-facing fashion and work by injecting “malicious scripts on websites viewed by others, resulting in the execution of code on the visitor’s web browser,” Bleeping Computer added.

This could leave website visitors open to having their data stolen from infected WordPress sites, Patchstack noted.

Specifics about the XSS vulnerability indicate that it might be triggered by a “default installation or configuration of the Advanced Custom Fields plug-in.” However, users would have to have logged-in access to the Advanced Custom Fields plug-in to trigger it in the first place, meaning a bad actor would have to trick someone with access to trigger the flaw, the researchers added.

The CVE-2023-30777 flaw can be found in the admin_body_class function handler, in which a bad actor can inject malicious code. In particular, this bug injects DOM XSS payloads into the improperly drafted code, which is not caught by the code’s sanitize output, a security measure of sorts, which is part of the flaw.

The fix on version 6.1.6 introduced the admin_body_class hook, which blocks the XSS attack from being able to execute.

Users of Advanced Custom Fields and Advanced Custom Fields Pro should upgrade the plug-ins to version 6.1.6 or later. Many users remain susceptible to attack, with approximately 72.1% of WordPress.org plug-in users having versions running below 6.1. This makes their websites vulnerable not only to XSS attacks but also to other flaws in the wild, the publication said.

Editors' Recommendations

Fionna Agomuoh
Fionna Agomuoh is a technology journalist with over a decade of experience writing about various consumer electronics topics…
Hurry! This HP laptop is $180 in Best Buy’s Memorial Day sale
HP Laptop 14

Over at Best Buy, we’re seeing some fantastic Memorial Day sales and that includes awesome laptop deals. Right now, you can save $70 on a HP 14-inch laptop meaning you pay just $180 instead of $250. Perfect for your kids to use for school or simply if you need a basic laptop for occasional use, here’s what you might wish to know about it before you buy.

Why you should buy the HP 14-inch laptop
You won’t see this HP 14-inch laptop on our look at the best laptops as it’s not that kind of device. Instead, it’s the perfect starter laptop for anyone who simply wants to keep costs down. At its heart is an Intel Pentium Silver processor along with 4GB of memory and 128GB SSD storage. We’re glad to see SSD storage compared to eMMC which can happen at these prices but otherwise, this is fairly basic stuff.

Read more
Can the new Surface Laptop really take down the M3 MacBook Air?
The new Surface Laptop 13 on a white table.

Microsoft announced a new Surface Laptop at an event on May 20 that's got everyone talking. Part of the new Copilot+ PC platform, the Surface Laptop now runs exclusively on Qualcomm's ARM-based Snapdragon X chipset, with a clear aim at Apple's MacBook Air M3.

That new Surface Laptop should be a faster and more efficient laptop, inching closer to the MacBook Air M3. But the MacBook's efficiency has been proven. Will the Surface Laptop live up to its promise as a legitimate competitor?
Specs and configurations

Read more
How to burn a CD in Windows 11
CD in a CD drive on a Macbook Pro.

Burning a CD in 2024 isn't quite as simple as it was when CD drives were in every desktop PC and laptop, but it's still straightforward if you have the right equipment. With a CD burner to hand, you can burn CDs in Windows 11 just as you could on older versions. Whether you want to make a data CD or a music CD, here's how to burn them in a few quick steps.

Read more