Patchstack security researchers recently warned that ‘Advanced Custom Fields’ and ‘Advanced Custom Fields Pro’ WordPress plugins are at risk of cross-site scripting attacks (XSS).
These WP plugins, installed on millions of websites, may be vulnerable to security breaches.
The ‘Advanced Custom Fields’ and ‘Advanced Custom Fields Pro’ plugins are renowned custom field builders for WordPress and have accumulated a significant user base, with over 2 million active installations.
On May 2, 2023, a severe reflected XSS vulnerability was identified by Rafie Muhammad, a researcher at Patchstack, and the vulnerability has been tracked as “CVE-2023-30777.”
Vulnerability in Advanced Custom Fields
XSS vulnerabilities provide a gateway for malevolent actors to inject harmful scripts onto websites accessed by unsuspecting users.
In short, this enables the code to run within the visitor’s browser and compromise their security. According to Patchstack, an unauthenticated adversary could exploit the XSS vulnerability to steal confidential data and even elevate their privileges on a compromised WordPress site.
Apart from this, it is crucial to note that this particular flaw could also be activated on a default installation or configuration of the Advanced Custom Fields plugin.
To exploit this vulnerability, an unauthenticated threat actor would need to engage in social engineering tactics to convince someone with plugin access to visit a malicious URL. In short, this vulnerability cannot be triggered through a direct attack by the attacker.
The plugin developer took prompt action as soon as Patchstack brought the vulnerability to their attention.
They swiftly released a security update on May 4, 2023, which addressed the issue and is now available as version 6.1.6.
This vulnerability (CVE-2023-30777) results from the ‘admin_body_class’ function handler. At the same time, this handler did not adequately sanitize the output value of a hook that manages the CSS classes.
On the plugin’s code, an attacker can take advantage of an unsafe direct code sequence variable (‘$this→view’). By exploiting this threat, actors could add malicious code, such as DOM XSS payloads, into the segments that ultimately get passed to a class string.
Moreover, it’s worth noting that the plugin’s ‘sanitize_text_field’ cleaning function will not be able to prevent this attack.
This is because it cannot detect and neutralize the injected malicious code. Therefore, the injected code can still pass through and potentially cause harm.
In version 6.1.6 of the plugin, the developer addressed the vulnerability by introducing a new function called ‘esc_attr.’
This function performs thorough sanitization on the output value of the ‘admin_body_class’ hook, effectively preventing any XSS attacks from occurring.
Here below, we have mentioned the disclosure timeline:-
- 02-05-2023: Experts found the vulnerability and reached out to the plugin vendor.
- 04-05–2023: Advanced Custom Fields free and pro plugin version 6.1.6 was published to patch the reported issues.
- 05-05-2023: Added the vulnerabilities to the Patchstack vulnerability database.
Cybersecurity analysts have strongly recommended that all the ‘Advanced Custom Fields’ and ‘Advanced Custom Fields Pro’ users immediately upgrade to version 6.1.6 or a newer version.
Doing this will patch the vulnerability and protect the websites from potential security breaches.