LAGOS, Nigeria (VOICE OF NAIJA) – WordPress users who have the Advanced Custom Fields plugin installed on their website should update after a flaw in the code was found that could expose websites and their users to cross-site scripting (XSS) attacks.
The Advanced Custom Fields and Advanced Custom Fields Pro versions of the plugins, which are designed to provide site managers better control over their content and data, have more than two million active installs, according to a warning from Patchstack about the problem.
The flaw was discovered on 5 February by Rafie Muhammad of PatchStack and was reported to Delicious Brains, the company that purchased Advanced Custom Fields from its creator Elliot Condon last year.
Details of the problem were made public by Patchstack on 5 May, one month after Delicious Brains released a fixed version of the plugins. Users are advised to update to at least version 6.1.6 of their plugin.
The vulnerability, identified as CVE-2023-30777, makes websites susceptible to reflected XSS attacks, which include malicious code being injected into webpages.
The vulnerability has a CVSS severity rating of 6.1 out of 10. The code is then “reflected” back and run inside a visitor’s browser.
If the visitor is an administrator user who is logged in, this is a serious issue because their account might be used to seize control of the website.
“This vulnerability allows any unauthenticated user [to steal] sensitive information to, in this case, privilege escalation on the WordPress site by tricking the privileged user to visit the crafted URL path,” Patchstack wrote in its report.
The outfit added that “this vulnerability could be triggered on a default installation or configuration of Advanced Custom Fields plugin. The XSS also could only be triggered from logged-in users that have access to the Advanced Custom Fields plugin.”
The problem is fairly simple as it comes from the “admin_body_class” function handler, which according to Patchstack was set up as an extra handler for the similarly named “admin_body_class” hook in WordPress.
The main body tag’s design and layout in the admin section are controlled and filtered by the handler.
It is possible for an attacker to insert malicious code into a website, including redirection, adverts, and other HTML payloads, which is then executed when a person visits the page, because the function handler fails to properly sanitize that value of the hook.
The XSS vulnerability was one of four discovered in the well-known plugin over the previous few years, according to Patchstack.
According to W3Techs, 43.2 percent of all websites utilize the content management system WordPress, which turns 20 this month.
WordPress is used by hundreds of millions of websites, which has made it an attractive target for criminals looking to take advantage of any systemic weaknesses because that’s where the money is.
The number of WordPress vulnerabilities disclosed increased by 150 percent between 2020 and 2021, according to a Patchstack survey, and 29% of plugins having serious vulnerabilities at the time were left unpatched.