Security researchers warn that WordPress plugins “Advanced Custom Fields” And “Advanced Custom Fields Pro”with millions of installs, are vulnerable to cross-site scripting (XSS) attacks.

Both plugins are among the most popular custom field builders in WordPress, with 2,000,000 active installs on sites around the world.

Patchstack Researcher Mohammad Rafie discovered the high-severity reflected XSS vulnerability on May 2, 2023, which was assigned the identifier CVE-2023-30777.

XSS bugs typically allow attackers to inject malicious scripts into websites visited by others, causing code to execute in the visitor’s web browser.

Patchstack says the XSS flaw could allow an unauthenticated attacker to steal sensitive information and elevate privileges on an impacted WordPress site.

“Note that this vulnerability could be triggered on a default installation or configuration of the Advanced Custom Fields plugin,” explains Patchstack in the newsletter.

“XSS can also only be triggered from logged in users with access to the Advanced Custom Fields plugin.”

This means that the unauthenticated attacker would still have to rely on someone with access to the plugin to visit a malicious URL to trigger the flaw.

The plugin developer was made aware of the issue when discovered by Patchstack and released a security update on May 4, 2023, in version 6.1.6.

The XSS flaw

The CVE-2023-30777 flaw comes from the function handler ‘admin_body_class’, which failed to properly clean up the output value of a hook that checks and filters the CSS classes (design and layout) for the tag main body in the sites WordPress admin area.

The code for the 'admin_body_class' function
The ‘admin_body_class’ function (stack of patches)

An attacker can take advantage of insecure direct code concatenation on the plugin code, specifically the ‘$this→view’ variable, to add harmful code (DOM XSS payloads) into its components that will be passed to the final product, a class string.

The sanitization function used by the plugin, ‘sanitize_text_field,’ will not stop the attack as it will not catch the injection of malicious code.

Access the 'this->view’ variable via the ‘current_screen’ function” height=”212″ src=”https://www.bleepstatic.com/images/news/u/1220909/2023/WordPress/8/this-post.jpg” width=”766″/><figcaption><strong>Access the ‘this->view’ variable via the ‘current_screen’ function</strong> <em>(stack of patches)</em></figcaption></figure>
<p>The developer fixed the flaw in version 6.1.6 by implementing a new function named ‘<a href=esc_attr‘ which correctly cleans up the output value of the admin_body_class hook, thus preventing XSS.

All users of ‘Advanced Custom Fields’ and ‘Advanced Custom Fields Pro’ are encouraged to upgrade to version 6.1.6 or later as soon as possible.

Based on WordPress.org download statistics72.1% of plugin users are still using versions lower than 6.1, which are vulnerable to XSS and other known flaws.


Source link