• Wed. Aug 23rd, 2023

A Common WordPress Plugin Flaw Makes More Than 2 Million Websites Vulnerable to Attackers

Jun 30, 2023
2M Websites Vulnerable to WordPress Plugin Flaw
Esme Greene

Advanced Custom Fields (ACF) for WordPress is vulnerable to XSS attacks, according to security experts from the WordPress platform safety business Patchstack.

The XSS vulnerability CVE-2023-30777, which is related to Reflected XSS, enables you to insert any executable scripts into the target websites.

As described by Patchstack, the flaw enables an unauthenticated attacker to escalate access on a WordPress site while stealing sensitive data by luring a privileged user into visiting a created URL.

How the Code Operates

It’s important to note that CVE-2023-30777 may be enabled with a basic installation or Advanced Custom Fields configuration, but only logged-in users who have access to the plugin are able to perform this.

More than 2 million people have downloaded the Advanced Custom Fields plugin. On May 2, 2023, the problem was identified and brought to the maintainers’ notice. Users of the plugin are advised to update to version 6.1.6.

Reflected XSS breaches often happen when individuals are duped into clicking on a bogus link received by email or another method, which causes malicious code to be transmitted to a susceptible website and causes the attack to be reflected back to the user’s browser.