Tuesday, February 20

Popular WordPress Plugin Makes 2 Million Websites Vulnerable

A vulnerability in the Advanced Custom Fields plugin for WordPress makes it possible to enter malicious code on about two million websites, causing damage to the site and/or the user.

These are the Delicious Brains Advanced Custom Fields and Advanced Custom Fields Pro plugins. The plugin gives WordPress site administrators more control over their content and data.

On February 5, Patchstack discovered that performing an XSS attack via that plugin was possible. This stands for cross-site scripting and essentially involves an attacker entering code, usually into a text box on a site. The site then interprets that code. XSS attacks were widespread 10-15 years ago. Since then, most sites with fill-in options know how to close those boxes so that only text is possible or code is not executed. But exceptions keep popping up.

It would be possible to secretly run JavaScript in every visitor’s browser to the site. This, in turn, can cause information to be stolen from that user or the entire site to be taken over if the user is an administrator of the site.

A patch was released for the problem in early April. Since May 5, Patchstack and Rafie Muhammad, the researcher at Patchstack who discovered it, have been allowed to communicate publicly about it. Specifically, as a user of Advanced Custom Fields, you must update to version 6.1.6 or newer. The vulnerability is assigned the CVE code CVE-2023-30777.

Leave a Reply