[ad_1]
Security researchers warn that WordPress plugins “Advanced Custom Fields” And “Advanced Custom Fields Pro”with millions of installs, are vulnerable to cross-site scripting (XSS) attacks.
Both plugins are among the most popular custom field builders in WordPress, with 2,000,000 active installs on sites around the world.
Patchstack Researcher Mohammad Rafie discovered the high-severity reflected XSS vulnerability on May 2, 2023, which was assigned the identifier CVE-2023-30777.
XSS bugs typically allow attackers to inject malicious scripts into websites visited by others, causing code to execute in the visitor’s web browser.
Patchstack says the XSS flaw could allow an unauthenticated attacker to steal sensitive information and elevate privileges on an impacted WordPress site.
“Note that this vulnerability could be triggered on a default installation or configuration of the Advanced Custom Fields plugin,” explains Patchstack in the newsletter.
“XSS can also only be triggered from logged in users with access to the Advanced Custom Fields plugin.”
This means that the unauthenticated attacker would still have to rely on someone with access to the plugin to visit a malicious URL to trigger the flaw.
The plugin developer was made aware of the issue when discovered by Patchstack and released a security update on May 4, 2023, in version 6.1.6.
The XSS flaw
The CVE-2023-30777 flaw comes from the function handler ‘admin_body_class’, which failed to properly clean up the output value of a hook that checks and filters the CSS classes (design and layout) for the tag main body in the sites WordPress admin area.
An attacker can take advantage of insecure direct code concatenation on the plugin code, specifically the ‘$this→view’ variable, to add harmful code (DOM XSS payloads) into its components that will be passed to the final product, a class string.
The sanitization function used by the plugin, ‘sanitize_text_field,’ will not stop the attack as it will not catch the injection of malicious code.
[ad_2]
Source link