Advanced Custom Fields, a WordPress plugin used on over two million sites has been found vulnerable to cross-site scripting (XSS) attacks. The vulnerability is being tracked as CVE-2023-30777 and has a CVSS score of 7.1 out of 10. Successful exploitation would allow any threat actor to steal information or escalate their privileges on the site by tricking unsuspecting users into visiting a maliciously crafted URL.
The vulnerability was uncovered by Patchstack researcher Rafie Muhammad back on February 5. It was then reported to Delicious Brains, the vender of the ACF plugin who took over the development from original developer Elliot Condon in 2022. The vendor promptly fixed the issue in version 6.1.6 of the plugin released on May 4.
As for the flaw itself, Patchstack reports that it originates from the “admin_body_class” function handler, which was supposed to be an additional handler for a WordPress hook with the same name. The handler controls and filters the design and layout for the main body tag in the admin area.
However, as is usually the case in XSS vulnerabilities, it doesn’t properly sanitise the input. This means that the attacker can use the input fields to insert malicious code, redirects, ads and other HTML payloads onto the website which would then be executed when a visitor stumbles across the page.
This isn’t the only vulnerability found in the ACF plugin either. Patchstack has reported three additional vulnerabilities, the latest one being a medium-severity PHP object injection vulnerability disclosed on May 3. The vulnerability allows a hacker to execute code injections, SQL injections, path traversal, DoS and even more attacks if a proper POP chain is found. The vulnerability has been fixed in version 6.1.0 of the plugin though.