Users of the Advanced Custom Fields plugin for WordPress are urged to update to version 6.1.6 after a security flaw was discovered.
The issue, assigned the identifier CVE-2023-30777, relates to a case of reflected cross-site scripting (XSS) that could be abused to inject arbitrary executable scripts into harmless websites.
The plugin, which was available as a free and pro version, has expired two million active installations. This issue was discovered and reported to maintainers on May 2, 2023.
“This vulnerability allows any unauthenticated user to steal sensitive information, in this case, privilege escalation on a WordPress site by tricking a privileged user into visiting a generated URL path,” Patchstack researcher Rafie Muhammad said.
Reflected XSS attacks typically occur when victims are tricked into clicking fake links sent via email or other routes, causing malicious code to be sent to a vulnerable website, which reflects the attack back to the user’s browser.
This element of social engineering means that bounced XSS does not have the same reach and scale as stored XSS attacks, prompting threat actors to distribute malicious links to as many victims as possible.
“(Rebounded XSS attacks) are typically the result of insufficiently sanitized incoming requests, allowing manipulation of web application functionality and activation of malicious scripts,” Imperva notes.
It should be noted that CVE-2023-30777 can be enabled on any installation or default configuration of Advanced Custom Fields, although this is only possible from logged in users who have access to the plugin.
“An attacker can attack not only the cPanel management port but also applications running on ports 80 and 443,” Shubham Shah of Assetnote saidadding it could allow an adversary to hijack a valid user’s cPanel session.
“After acting on behalf of an authenticated cPanel user, it’s usually trivial to upload a web shell and get command execution.”