Critical Security Alert: Over 1 Million Websites at Risk of XSS Exploit due to a WordPress Plugin Vulnerability
Security researchers have recently discovered a vulnerability that puts users of the popular WordPress plugins "Advanced Custom Fields" and "Advanced Custom Fields Pro" at risk of cross-site scripting (XSS) attacks. With over 2 million active installations worldwide, these plugins are among the most widely used custom field builders for WordPress websites.
According to Rafie Muhammad, a researcher at Patchstack, a high-severity reflected XSS vulnerability (CVE-2023-30777) was discovered on May 2, 2023. XSS vulnerabilities allow attackers to inject malicious scripts on websites, which can execute code on the visitor's web browser. This can result in the theft of sensitive information and the escalation of privileges on an impacted WordPress site.
Our security team warns that even a default installation or configuration of the Advanced Custom Fields plugin can trigger this vulnerability. The XSS can only be triggered by logged-in users who have access to the plugin. Therefore, unauthenticated attackers would still need to social engineer someone with access to the plugin to visit a malicious URL to exploit the flaw.
The vulnerability was fixed in version 6.1.6, which was released on May 4, 2023. The flaw was due to the 'admin_body_class' function handler that failed to properly sanitize the output value of a hook that controls and filters the CSS classes for the main body tag in the admin area of WordPress sites. Attackers could leverage an unsafe direct code concatenation on the plugin's code to add harmful code (DOM XSS payloads) in its components that will pass to the final product, a class string. The cleaning function used by the plugin, 'sanitize_text_field,' will not stop the attack because it won't catch the malicious code injection. The developer fixed the flaw by implementing a new function named 'esc_attr' that properly sanitizes the output value of the admin_body_class hook, hence preventing the XSS.
All users of Advanced Custom Fields and Advanced Custom Fields Pro are advised to upgrade to version 6.1.6 or later immediately. However, 72.1% of the plugin's users still use versions below 6.1, which are vulnerable to XSS and other known flaws.
In conclusion, it is crucial to take this security alert seriously and update your plugins to ensure your website's security. By doing so, you can prevent the exploitation of vulnerabilities and safeguard your sensitive information from falling into the wrong hands.
If you need assistance with website and web application security, Armoryze can help. Our team of experts specializes in protecting your digital assets from cyber attacks, and we offer a variety of solutions tailored to meet your specific needs. Contact us today to learn more about how we can help you stay safe and secure online.