Vulnerability Alerts
3 mins
WordPress plugin hole puts '2 million websites' at risk
A widespread, high-severity vulnerability has been discovered in the Advanced Custom Fields (ACF) plugin for WordPress. The vulnerability has been designated CVE-2023-30777 and has a CVSS severity score of 6.1 which could put 2 million websites at risk.
Hadrian recommends the Advanced Custom Fields plugin for WordPress be updated to version 6.1.6 as soon as possible.
What is the Advanced Custom Fields vulnerability?
The vulnerability allows 3rd parties to run JavaScript within a victim’s page, allowing them to steal sensitive information and perform actions as the users. If the victim is logged in as an administrative user this could allow the website to be hijacked.
The exploit can be carried out via a Cross Site Scripting (XSS) attack, injecting arbitrary executable scripts into websites with vulnerable versions of Advanced Custom Fields plugin. Reflected XSS attacks, such as this, require some social engineering so a user clicks a malicious link that has been sent to them. The attack is possible because a function handler within the plugin doesn’t properly sanitize the returned class string.
The vulnerability is within the "admin_body_class" hook function handler which controls and filters the design and layout for the main body tag in the admin area. The outputted value of the hook is not properly sanitized and directly constructed on the HTML. The handler does use the “sanitize_text_field” function, however this is not enough to prevent XSS.
"To protect your WordPress website from cross-site scripting (XSS) vulnerabilities, it is crucial to carefully select plugins from reputable sources and keep them up-to-date. This ensures that you minimize the risk of introducing malicious code and benefit from security patches provided by plugin developers. Stay vigilant and prioritize the security of your website."
Olivier Beg, 2023
The vulnerability is exploitable on the free and pro versions of Advanced Custom Fields below 6.1.6. With over 2 million active installations, 70% of which use outdated versions of the plugin, threat actors could be incentivized to launch attacks exploiting the vulnerability. It is therefore recommended that administrators remediate the vulnerability before it is exploited.
Hadrian's recommendations
The plugin should be immediately updated to at least version 6.1.6, which was released on 5th May. With the update, the output of the handler is correctly sanitized, remediating the risk of exploitation.
WordPress is often targeted because it is used on over 40% of all websites and has a large number of 3rd party plugins. Threat actors commonly use poorly maintained plugins as a vector when launching their attacks.
Organizations should implement an external exposure management solution to identify risks before they are exploited, get in touch with our experts to learn more.
