Over 1 Millon WordPress Websites at Risk of XXS Attacks Due to Buggy Plugin

Published on: May 7, 2023
Last Updated: May 7, 2023

Over 1 Millon WordPress Websites at Risk of XXS Attacks Due to Buggy Plugin

Published on: May 7, 2023
Last Updated: May 7, 2023

Security experts have issued a warning regarding the ‘Advanced Custom Fields’ and ‘Advanced Custom Fields Pro’ plugins for WordPress, which have millions of installations and are susceptible to cross-site scripting (XSS) attacks.

These plugins are highly popular custom field builders on WordPress and are utilized by approximately 2,000,000 active websites globally.

The vulnerability identified as CVE-2023-30777 pertains to a scenario of reflected cross-site scripting (XSS), which can potentially be exploited to inject malicious executable scripts into websites that are considered safe and non-threatening.

BleepingComputer reported that on May 2, 2023, Rafie Muhammad, a researcher at Patchstack, identified the reflected XSS vulnerability of high severity that was designated as CVE-2023-30777.

Cross-site scripting (XSS) vulnerabilities typically allow attackers to introduce malicious scripts onto websites accessed by others, leading to the execution of code on the visitor’s web browser.

“This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path”

According to Patchstack, the XSS vulnerability has the potential to enable an unauthorized attacker to pilfer sensitive data and increase their privileges on a compromised WordPress website.

Reflected XSS attacks commonly take place when victims are deceived into clicking on a fake link, which transmits the malicious code to the susceptible website, subsequently reflecting the attack back to the user’s web browser.

The presence of social engineering is a significant factor in reflected XSS attacks, which limits their scope and extent compared to stored XSS attacks.

This restriction leads malicious actors to distribute the harmful link to as many victims as possible in an effort to maximize the attack’s impact.

Once Patchstack alerted the plugin’s developer to the vulnerability, a security update was promptly released on May 4, 2023, as version 6.1.6.

Stay on top of the latest technology trends — delivered directly to your inbox, free!

Subscription Form Posts

Don't worry, we don't spam

Written by Husain Parvez

Husain has been around the internet ever since the dial-up days and loves writing about everything across the technosphere. He loves reviewing tech, writing about VPNs, and covering Cybersecurity news.