Skip to content

Hackers start pummeling ACF Wordpress plugin following POC release

  • by
  • 2 min read

Advanced Custom Fields, a massively popular Wordpress plugin installed on over two million websites, is being actively exploited by hackers for a critical cross-site scripting flaw tracked as CVE-2023-30777 in only 24 hours since a proof-of-concept (POC) exploit was made public. 

The vulnerability was initially discovered by Patchstack researcher Rafie Muhammad on February 5 and reported to the plugin’s vendor Delicious Brains. The bug was fixed in version 6.1.6 of the plugin released on May 4 and the POC was released to the general public the following day on May 5. 

As for the exploitation activity, the Akamai Security Intelligence Group reported that starting May 6, they observed significant scanning and exploitation activity using the code provided in Patchstack’s POC. The threat actors are reportedly copying Patchstack’s code without any modifications or improvements of their own. 

Exploitation activity for ACF has risen drastically. | Source: Akamai

While it’s common for scanning and exploitation attempts to increase once a POC is made public as security researchers, hobbyists and companies looking to protect themselves examine new vulnerabilities, Akamai is seeing an increasing volume and the amount of time between release and growth in search volume “drastically decreasing”. 

Since the exploit works on default configurations of the targeted plugin, it increases the chance of successful exploitation. The flaw does require the involvement of a logged-in user with access to the plugin, but such mitigations can be overcome with social engineering, phishing and other methods. 

According to the stats mentioned on the plugin’s Wordpress page, only 31.5% of total installations have been upgraded to the safe version, leaving well over 1.3 million websites vulnerable to these attacks. With 196,630 downloads in the last seven days alone and an all-time download number of 37,723,723, there’s a lot of room for malicious activity there. 

In the News: Capita confirms stolen data in April cyberattack

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: