Popular WordPress website builder plugin (opens in a new tab) with over two million active installs, it contained a serious vulnerability that allowed cybercriminals to steal sensitive visitor data and in some cases take complete control of the site.
The plugin is called Advanced Custom Fields, and along with the Pro version, it gives site admins more control over site content and data.
However, the plugin was vulnerable to cross-site scripting (XSS), which allows attackers to inject malicious code into sensitive websites. The code is then run in the visitor’s browser, allowing attackers to intercept sensitive data. If one of the visitors also turns out to be the administrator of the site, the attacker can also intercept their data and eventually take complete control of the site.
Patching the bug
The vulnerability was first discovered in May 2023 by Patchstack researcher Rafi Muhammad and reported to plugin provider Delicious Brains.
It has been given tracking number CVE-2023-30777 and rated 6.1/10 for severity. Two months later, in early April, Delicious Brains released a patch to fix the vulnerability, which also brought the plugin back to version 6.1.6. Administrators concerned about cross-site scripting attacks should ensure that their plugin is updated to this version as soon as possible.
“This vulnerability allows any unauthenticated user [to steal] sensitive information, in this case, to escalate privileges on a WordPress site by tricking a privileged user into visiting a crafted URL path,” says Patchstack. “This vulnerability can be triggered during the default installation or configuration of the Advanced Custom Fields plugin. XSS could also only be run by logged-in users who have access to the Advanced Custom Fields plug-in,” the researchers concluded.
according to Registerthe vulnerability is relatively simple and is one of four discovered in this plugin over the last few years.
By: Register (opens in a new tab)