• Our Story
  • Work | Our Services
  • Contact
  • SEO Blog
Commander SEOCommander SEO
  • Our Story
  • Work | Our Services
  • Contact
  • SEO Blog
Malware for Glossary

WordPress plugin Vulnerability puts millions of websites at risk

May 9, 2023 No Comments

Plugin Vulnerability in WordPress Advanced Custom Fields Plugin detected

Users of WordPress with the Advanced Custom Fields plugin installed should update their software, following the identification of a vulnerability in the code that exposes websites and visitors to cross-site scripting (XSS) attacks.

Patchstack issued an alert about the security flaw, stating that over two million active installs of both the Advanced Custom Fields and Advanced Custom Fields Pro plugins exist. These plugins offer site administrators enhanced control over content and data.

Patchstack researcher Rafie Muhammad discovered the vulnerability on February 5 and reported it to Delicious Brains, the vendor for Advanced Custom Fields.

On May 5 2023, Patchstack released information about the flaw, a month after Delicious Brains issued a patched version of the plugins. Users are advised to update their plugin to version 6.1.6 or later.

Wordpress ACF Plugin Vulnerability

The vulnerability, identified as CVE-2023-30777 and assigned a CVSS severity score of 6.1 out of 10, makes websites susceptible to reflected XSS attacks. These attacks involve bad actors injecting malicious code into webpages, which is then “reflected” back and executed in a visitor’s browser.

In essence, this allows an attacker to execute JavaScript within another user’s view of a page, potentially stealing information, performing actions as the user, and more. This is particularly concerning if the visitor is a logged-in administrator, as their account could be compromised, leading to website takeover.

According to Patchstack’s report, “This vulnerability enables any unauthenticated user [to steal] sensitive information, leading to privilege escalation on the WordPress site by tricking the privileged user into visiting the crafted URL path.”

Patchstack further noted that “this vulnerability could be triggered on a default installation or configuration of the Advanced Custom Fields plugin. The XSS could also be triggered only by logged-in users with access to the Advanced Custom Fields plugin.”

Contact us
markus-seo

Markus Schad | Senior SEO Strategist

Markus Schad is Senior SEO Consultant with over 8 years experience in getting more traffic and visitors for his customers. He is the founder of Commander-SEO.com.

Our other Blog posts

Call Annie App Store

Do a Video Chat with ChatGPT AI Call Annie

April 27, 2023

Ever wanted to talk to a female Avatar powered by ChatGPT?! Having a FaceTime Call with a near real-time AI

Read More »
How to edit WPConfig php

WordPress 6.2 “Dolphy” released today

March 30, 2023

The latest release of WordPress, version 6.2, brings a plethora of new features, performance improvements, and enhancements to the block

Read More »

6 Top Places to Hire WordPress Developers

March 5, 2023

WordPress is the world’s most popular content management system, powering millions of websites globally. Finding a skilled WordPress developer is

Read More »
There is nothing to show here!
Slider with alias none not found.
No Comments
Share
0

Leave a Reply

Say something nice
Cancel Reply

Recent Posts

  • WordPress plugin Vulnerability puts millions of websites at risk
  • Do a Video Chat with ChatGPT AI Call Annie
  • WordPress 6.2 “Dolphy” released today

Table of Contents

Commander-SEO.com – Your SEO Expert.

Facebook Twitter

© 2023 · Commander-SEO