Skip to main content
  1. Home
  2. Computing
  3. News

A new WordPress bug may have left 2 million sites vulnerable

Add as a preferred source on Google

A flaw in two WordPress custom plug-ins leaves users vulnerable to cross-site scripting attacks (XSS), according to a recent report.

Patchstack researcher Rafie Muhammad recently discovered an XSS flaw in the Advanced Custom Fields and Advanced Custom Fields Pro plug-ins, which are actively installed by over 2 million users worldwide, according to Bleeping Computer.

Recommended Videos

The flaw, called CVE-2023-30777 was discovered on May 2 and was given a high-severity prominence. The plug-ins’ developer, WP Engine, quickly provided a security update, version 6.1.6, within days of learning about the vulnerability,on May 4.

The popular custom field builders allow users to have full control of their content management system from the back end, with WordPress edit screens, custom field data, and other features.

However, XSS bugs can be seen in a front-facing fashion and work by injecting “malicious scripts on websites viewed by others, resulting in the execution of code on the visitor’s web browser,” Bleeping Computer added.

This could leave website visitors open to having their data stolen from infected WordPress sites, Patchstack noted.

Specifics about the XSS vulnerability indicate that it might be triggered by a “default installation or configuration of the Advanced Custom Fields plug-in.” However, users would have to have logged-in access to the Advanced Custom Fields plug-in to trigger it in the first place, meaning a bad actor would have to trick someone with access to trigger the flaw, the researchers added.

The CVE-2023-30777 flaw can be found in the admin_body_class function handler, in which a bad actor can inject malicious code. In particular, this bug injects DOM XSS payloads into the improperly drafted code, which is not caught by the code’s sanitize output, a security measure of sorts, which is part of the flaw.

The fix on version 6.1.6 introduced the admin_body_class hook, which blocks the XSS attack from being able to execute.

Users of Advanced Custom Fields and Advanced Custom Fields Pro should upgrade the plug-ins to version 6.1.6 or later. Many users remain susceptible to attack, with approximately 72.1% of WordPress.org plug-in users having versions running below 6.1. This makes their websites vulnerable not only to XSS attacks but also to other flaws in the wild, the publication said.

Fionna Agomuoh
Fionna Agomuoh is a Computing Writer at Digital Trends. She covers a range of topics in the computing space, including…
Meta’s detection tool fails to identify photos generated by its own Muse Image AI
Meta has created an invisible watermarking tool called Content Seal that is embedded in all images generated by the Muse Image AI.
Meta AI identification tool.

Earlier this week, Meta announced two new AI products, namely, Muse Image and Muse Video. As the name suggests, these are generative AI tools for making photos and video clips using natural language text prompts. Soon after their rollout commenced, these tools sparked controversy because Meta had automatically opted in Instagram users, allowing others to use their publicly posted media and convert them into remixed AI content. But it appears that Meta courted another loss on its side of the court.

What's the problem?

Read more
Your Google AI Studio apps can finally have polished, presentable web links
AI Studio web apps can now use personalized subdomains
google ai studio logos

Google AI Studio has made building a web app surprisingly easy. You can describe what you want, refine the design through prompts, and publish the result without setting up a traditional development environment. An awkward point of friction comes after deployment, when the finished app still has to live behind a long, forgettable Cloud Run link.

Google is now cleaning up that final step. AI Studio lets you assign a deployed web app a personalized address under the “ai.studio” domain, such as “your-app-name.ai.studio.” A recognizable URL should make the project look more presentable in a portfolio, client demo, social post, or internal project page.

Read more
You can now check if a Google ad was made using AI
Google will auto-label its own AI ads, but third-party AI ads still rely on advertisers to come clean.
google-ads-ai-label

Ever looked at an ad and wondered if a real person made it or if it was AI generated in seconds? Google is now giving you a way to find out.

The company just announced a new AI transparency label that tells you whether an ad was created or edited using generative AI tools. The label lives inside Google's My Ad Center, and it is rolling out across Google Search, YouTube, and Discover globally.

Read more