Skip to main content

A new WordPress bug may have left 2 million sites vulnerable

A flaw in two WordPress custom plug-ins leaves users vulnerable to cross-site scripting attacks (XSS), according to a recent report.

Patchstack researcher Rafie Muhammad recently discovered an XSS flaw in the Advanced Custom Fields and Advanced Custom Fields Pro plug-ins, which are actively installed by over 2 million users worldwide, according to Bleeping Computer.

The flaw, called CVE-2023-30777 was discovered on May 2 and was given a high-severity prominence. The plug-ins’ developer, WP Engine, quickly provided a security update, version 6.1.6, within days of learning about the vulnerability,on May 4.

The popular custom field builders allow users to have full control of their content management system from the back end, with WordPress edit screens, custom field data, and other features.

However, XSS bugs can be seen in a front-facing fashion and work by injecting “malicious scripts on websites viewed by others, resulting in the execution of code on the visitor’s web browser,” Bleeping Computer added.

This could leave website visitors open to having their data stolen from infected WordPress sites, Patchstack noted.

Specifics about the XSS vulnerability indicate that it might be triggered by a “default installation or configuration of the Advanced Custom Fields plug-in.” However, users would have to have logged-in access to the Advanced Custom Fields plug-in to trigger it in the first place, meaning a bad actor would have to trick someone with access to trigger the flaw, the researchers added.

The CVE-2023-30777 flaw can be found in the admin_body_class function handler, in which a bad actor can inject malicious code. In particular, this bug injects DOM XSS payloads into the improperly drafted code, which is not caught by the code’s sanitize output, a security measure of sorts, which is part of the flaw.

The fix on version 6.1.6 introduced the admin_body_class hook, which blocks the XSS attack from being able to execute.

Users of Advanced Custom Fields and Advanced Custom Fields Pro should upgrade the plug-ins to version 6.1.6 or later. Many users remain susceptible to attack, with approximately 72.1% of plug-in users having versions running below 6.1. This makes their websites vulnerable not only to XSS attacks but also to other flaws in the wild, the publication said.

Editors' Recommendations

Fionna Agomuoh
Fionna Agomuoh is a technology journalist with over a decade of experience writing about various consumer electronics topics…
Time to change your Twitter password: 32 million accounts may have been hacked
twitter suspends extremist accounts app

Mark Zuckerberg, Katy Perry, Keith Richards, Tame Impala, Drake, Tenacious D, oh, and Twitter founder Evan Williams. What do they have in common? They've all had their Twitter accounts compromised in recent days, that's what.

And late Thursday it emerged the apparent hack could be serious. Like 32-million-accounts serious.

Read more
Bugcrowd’s bug bounties grow 210 percent, with more than $2 million paid out
google microsoft increase payouts in bug bounty programs

Bug bounties are quickly becoming security best practice and no longer considered a novelty, according to Bugcrowd's second annual State of Bug Bounty report.

The research from the bug bounty platform company shows it has paid out over $2 million in bounty rewards as of March this year and the number of bug bounty programs running on its platform has increased some 210 percent since January 2013.

Read more
Another WordPress exploit hits thousands of sites
another wordpress exploit hits thousands of sites wordpressheader2

The downside of becoming a popular content management system is that more and more people are looking for bugs you may have, in order to exploit them. It makes sense, as the more people use something, the more potential targets you have if you find a bug. But for WordPress' developers, it must be an exercise in frustration patching holes as often as they need to.

Yet another bug has been found in the popular CMS in the past couple of weeks, and it's seen thousands of sites targeted and millions of visitors made vulnerable. Visitors to sites that have been compromised risk being redirected to a site that attempts to infect them with the Nuclear Exploit kit, an ever-evolving arsenal of malware that can inject ransomware into a system, locking the desktop and encrypting files while demanding payment to return them to normal.

Read more