WordPress Advanced Custom Fields plugin vulnerable to reflected XSS attack

Following the discovery of CVE-2023-30777, a security flaw characterized by reflected cross-site scripting (XSS), users of the Advanced Custom Fields plugin for WordPress are advised to update to version 6.1.6.

Malicious actors might use this flaw to insert arbitrary executable programs onto otherwise harmless websites. According to Patchstack researcher Rafie Muhammad, the vulnerability enables any unauthenticated user to collect critical information in order to acquire power escalation on the WordPress site by luring a privileged user into visiting the generated URL route.

According to Muhammad, reflected XSS attacks often occur when users are conned into clicking on a phony link delivered by email or another method, allowing the malicious code to be transferred to the susceptible website, which then reflects the attack back to the user’s browser.

According to Shubham Shah of Assetnote, the attacker may target not only the cPanel control ports, but also the apps running on ports 80 and 443. This might result in the hijacking of a genuine user’s cPanel session. When a person gets access to a cPanel user’s account, it is usually simple to upload a web shell and execute instructions on that user’s behalf.

CVE-2023-30777 may be enabled on a default Advanced Custom Fields installation or configuration, but only by logged-in users who have access to the plugin.

The sources for this piece include an article in TheHackerNews.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web