Skip to main content

A new WordPress bug may have left 2 million sites vulnerable

A flaw in two WordPress custom plug-ins leaves users vulnerable to cross-site scripting attacks (XSS), according to a recent report.

Patchstack researcher Rafie Muhammad recently discovered an XSS flaw in the Advanced Custom Fields and Advanced Custom Fields Pro plug-ins, which are actively installed by over 2 million users worldwide, according to Bleeping Computer.

Recommended Videos

The flaw, called CVE-2023-30777 was discovered on May 2 and was given a high-severity prominence. The plug-ins’ developer, WP Engine, quickly provided a security update, version 6.1.6, within days of learning about the vulnerability,on May 4.

Please enable Javascript to view this content

The popular custom field builders allow users to have full control of their content management system from the back end, with WordPress edit screens, custom field data, and other features.

However, XSS bugs can be seen in a front-facing fashion and work by injecting “malicious scripts on websites viewed by others, resulting in the execution of code on the visitor’s web browser,” Bleeping Computer added.

This could leave website visitors open to having their data stolen from infected WordPress sites, Patchstack noted.

Specifics about the XSS vulnerability indicate that it might be triggered by a “default installation or configuration of the Advanced Custom Fields plug-in.” However, users would have to have logged-in access to the Advanced Custom Fields plug-in to trigger it in the first place, meaning a bad actor would have to trick someone with access to trigger the flaw, the researchers added.

The CVE-2023-30777 flaw can be found in the admin_body_class function handler, in which a bad actor can inject malicious code. In particular, this bug injects DOM XSS payloads into the improperly drafted code, which is not caught by the code’s sanitize output, a security measure of sorts, which is part of the flaw.

The fix on version 6.1.6 introduced the admin_body_class hook, which blocks the XSS attack from being able to execute.

Users of Advanced Custom Fields and Advanced Custom Fields Pro should upgrade the plug-ins to version 6.1.6 or later. Many users remain susceptible to attack, with approximately 72.1% of WordPress.org plug-in users having versions running below 6.1. This makes their websites vulnerable not only to XSS attacks but also to other flaws in the wild, the publication said.

Fionna Agomuoh
Fionna Agomuoh is a Computing Writer at Digital Trends. She covers a range of topics in the computing space, including…
Presidents’ Day Dell Deals: XPS, G16, monitors and more on sale
The Dell XPS 14 open on a wooden table.

Presidents' Day is a nice three-day reprieve from work, and it's also a nice excuse to do some shopping. And Dell is certainly ready, with business laptops, monitors, and more discounted on their website and across Amazon. We've picked out our favorite deals, largely from the best Dell products out there -- and products we've personally reviewed or have hands-on experiences with. Here, we present that list to you so you can get some of the best laptop deals and monitor deals around. Remember that as these deals are coming out around the Presidents' Day holiday (though not all of them have explicit "Presidents' Day" markings) they very well might end soon, so plan your purchases accordingly.
Dell S2425HS Monitor — $110 $140 21% off

This sleek monitor with a modern look has integrated speakers, a 100Hz refresh rate, and a 4-star TÜV Rheinland eye comfort rating. The 24-inch Dell S2425HS is a great second monitor for your home office or second study. You won't find many monitor deals with a price lower than the starting price of $140 that this one sports, much less the reduced $110.

Read more
1Password vs. NordPass: which password manager is best in 2025?
1Password and NordPass reviews appear beside one another on a PC monitor.

1Password and NordPass are among the most popular and best password managers available. Both offer significant improvements over the built-in solutions you get from Microsoft, Apple, and Google, making it hard to choose between them.

I've reviewed the latest versions of 1Password and NordPass in 2025 and can share some insights into the differences and compare prices to help you discover which offers the best value for you.
Specs

Read more
This iBuyPower gaming PC with RTX 4060 is under $1,000 — for now
The iBUYPOWER Trace 7 Mesh gaming desktop on a white background.

Gaming PC deals worth buying still usually cost more than $1,000 after the discounts, but here's an offer from Best Buy that's available for a more affordable price. The iBuyPower Trace 7 Mesh, which is originally sold for $1,300, is down to just $900 following a $400 discount. We're not sure how much time is remaining before this bargain ends, so if you're interested in this gaming desktop, you need to push forward with your purchase immediately if you want to secure the savings.

Why you should buy the iBuyPower Trace 7 Mesh gaming PC
The iBuyPower Trace 7 Mesh is a relatively affordable gaming PC, but it doesn't sacrifice much in terms of performance. It runs on the AMD Ryzen 7 5700 processor and the Nvidia GeForce RTX 4060, which is in our list of the best graphics cards as our recommendation for 1080p gaming. It has 16GB of RAM, which is the best place to start for a gaming PC, according to our guide on how much RAM do you need. With these components, you won't have trouble playing the best PC games, though you'll have to go with medium settings for the more demanding titles.

Read more