Users of the Advanced Custom Fields plugin for WordPress are being asked to update to version 6.1.6 due to a security flaw discovered.
The issue, which has been assigned the identifier CVE-2023-30777, relates to a case of Reflected Cross-Site Scripting (XSS) that can be exploited to inject arbitrary executable script into innocent websites. increase.
Plugins available in both free and pro versions are 2 million active installsThis issue was discovered on May 2nd, 2023 and reported to the maintainers.
“This vulnerability allows an unauthenticated user to steal sensitive information. In this case, a privileged user could be tricked into accessing a crafted URL path to escalate privileges on a WordPress site. ,” said Patchstack researcher Rafie Muhammad. Said.
Reflected XSS Attacks typically occur when a victim is tricked into clicking a fake link sent via email or another channel, sending malicious code to a vulnerable website and allowing the attack to reflected in the browser.
This element of social engineering means that reflected XSS does not have the same scope and scale as stored XSS attacks, encouraging attackers to distribute malicious links to as many victims as possible. increase.
“[A reflected XSS attack] This is usually the result of insufficiently sanitized incoming requests, which can manipulate web application functionality and launch malicious scripts,” Imperva said. Note.
Note that CVE-2023-30777 can be activated with a default installation or configuration of Advanced Custom Fields. However, it can only be activated by logged-in users who have access to the plugin.
“Attackers can attack applications running on ports 80 and 443 as well as cPanel’s administrative ports,” said Assetnote’s Shubham Shah. Saidadding it could allow an adversary to hijack a valid user’s cPanel session.
“Acting on behalf of an authenticated user in cPanel, it’s usually trivial to upload a web shell and execute commands.”