WordPress Custom Field plugin bug exposes over 1 million sites to XSS attacks

WordPress custom field plugin bug exposes over 1M sites to


Security researchers warn that the Advanced Custom Fields and Advanced Custom Fields Pro WordPress plugins, with millions of installations, are vulnerable to cross-site scripting (XSS) attacks.

Both plugins are among the most popular WordPress custom field builders, with 2,000,000 active installations on sites worldwide.

Patchstack researcher Rafi Muhammad discovered a high-severity mirrored XSS vulnerability on May 2, 2023, assigned the identifier CVE-2023-30777.

XSS bugs typically allow attackers to inject malicious scripts into websites viewed by others, resulting in code being executed in the visitor's web browser.

Patchstack says the XSS flaw could allow an unauthenticated attacker to steal sensitive information and escalate their privileges on an affected WordPress site.

“Note that this vulnerability could occur during the default installation or configuration of the Advanced Custom Fields application,” Patchstack explains in a bulletin.

“XSS can also be run only from logged in users who have access to the Advanced Custom Fields plugin.”

This means that an unauthenticated attacker would still need to socially engineer someone with access to the application to visit a malicious URL to trigger the flaw.

The plugin developer was notified of the issue after Patchstack discovered it and released a security update on May 4, 2023 with version 6.1.6.

The flaw of XSS

CVE-2023-30777 The flaw stems from the admin_body_class function handler failing to properly clean up the output value of a hook that controls and filters CSS classes (design and layout) for the main body tag in the WordPress admin area. websites.

The code for the
Function “admin_body_class”. (Patchstack)

An attacker can use insecure direct code linking of the plugin code, specifically the “$this→view” variable, to add malicious code (DOM XSS payloads) to its components that will be passed to the final product, the class string.

READ  Synced Pattern Overrides Broken, Font Library Fixed as WordPress 6.5 Nears Release - WP Tavern

The sanitization function used by the “sanitize_text_field'' plugin will not stop the attack because it will not detect the injection of malicious code.

Accessing the view” variable via the “current_screen” function” height=:”212:” src=:”https://www.bleepstatic.com/images/news/u/1220909/2023/WordPress/8/this-post.jpg” width=:”766:”/>:
Accessing the “this->view” variable via the “current_screen” function (Patchstack)

The developer fixed the flaw in version 6.1.6 by implementing a new function named “esc_attr” that properly cleans the output value of the admin_body_class hook, thus preventing XSS.

All Advanced Custom Fields and Advanced Custom Fields Pro users are advised to upgrade to version 6.1.6 or later as soon as possible.

Based on WordPress.org download statistics, 72.1% of plugin users are still using versions below 6.1, which are vulnerable to XSS and other known flaws.

Leave a Reply

Your email address will not be published. Required fields are marked *