May 6, 2023Rabbi Lakshmanan

Users of the Advanced Custom Fields plugin for WordPress are being asked to update to version 6.1.6 due to a security flaw discovered.

The issue, which has been assigned the identifier CVE-2023-30777, relates to a case of Reflected Cross-Site Scripting (XSS) that can be exploited to inject arbitrary executable script into innocent websites. increase.

Plugins available in both free and pro versions are 2 million active installsThis issue was discovered on May 2nd, 2023 and reported to the maintainers.

“This vulnerability allows an unauthenticated user to steal sensitive information. In this case, a privileged user could be tricked into accessing a crafted URL path to escalate privileges on a WordPress site. ,” said Patchstack researcher Rafie Muhammad. Said.

cyber security

Reflected XSS Attacks typically occur when a victim is tricked into clicking a fake link sent via email or another channel, sending malicious code to a vulnerable website and allowing the attack to reflected in the browser.

This element of social engineering means that reflected XSS does not have the same scope and scale as stored XSS attacks, encouraging attackers to distribute malicious links to as many victims as possible. increase.

“[A reflected XSS attack] This is usually the result of insufficiently sanitized incoming requests, which can manipulate web application functionality and launch malicious scripts,” Imperva said. Note.

WordPress plugin

Note that CVE-2023-30777 can be activated with a default installation or configuration of Advanced Custom Fields. However, it can only be activated by logged-in users who have access to the plugin.

This development fixes two XSS flaws of medium severity (CVE-2023-30177 and CVE-2023-31144) can be exploited by attackers to deliver malicious payloads.

upcoming webinars

Learn how to stop ransomware with real-time protection

Join our webinar to learn how real-time MFA and service account protection can stop ransomware attacks.

Save my seat!

Also follows the disclosure of another XSS flaw in the cPanel product (CVE-2023-29489CVSS score: 6.1) and can be exploited to execute arbitrary JavaScript without authentication.

“Attackers can attack applications running on ports 80 and 443 as well as cPanel’s administrative ports,” said Assetnote’s Shubham Shah. Saidadding it could allow an adversary to hijack a valid user’s cPanel session.

“Acting on behalf of an authenticated user in cPanel, it’s usually trivial to upload a web shell and execute commands.”

Did you find this article interesting?Please follow us twitter and LinkedIn To read more exclusive content that we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog