Security experts have issued a warning regarding the ‘Advanced Custom Fields’ and ‘Advanced Custom Fields Pro’ plugins for WordPress, which have millions of installations and are susceptible to cross-site scripting (XSS) attacks.

These plugins are highly popular custom field builders on WordPress and are utilized by approximately 2,000,000 active websites globally.

The vulnerability identified as CVE-2023-30777 pertains to a scenario of reflected cross-site scripting (XSS), which can potentially be exploited to inject malicious executable scripts into websites that are considered safe and non-threatening.

BleepingComputer reported that on May 2, 2023, Rafie Muhammad, a researcher at Patchstack, identified the reflected XSS vulnerability of high severity that was designated as CVE-2023-30777.

Cross-site scripting (XSS) vulnerabilities typically allow attackers to introduce malicious scripts onto websites accessed by others, leading to the execution of code on the visitor’s web browser.

“This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path”

According to Patchstack, the XSS vulnerability has the potential to enable an unauthorized attacker to pilfer sensitive data and increase their privileges on a compromised WordPress website.

Reflected XSS attacks commonly take place when victims are deceived into clicking on a fake link, which transmits the malicious code to the susceptible website, subsequently reflecting the attack back to the user’s web browser.

The presence of social engineering is a significant factor in reflected XSS attacks, which limits their scope and extent compared to stored XSS attacks.

This restriction leads malicious actors to distribute the harmful link to as many victims as possible in an effort to maximize the attack’s impact.

Once Patchstack alerted the plugin’s developer to the vulnerability, a security update was promptly released on May 4, 2023, as version 6.1.6.