Popular WordPress Plugin Leaves Millions Of Sites Vulnerable
Reflected XSS Vulnerability Found In Advanced Custom Fields Plugin
A security researcher participating in a bug bounty at Patchstack.com discovered a security vulnerability in Advanced Custom Fields, a popular WordPress plugin with over 2M active installations.
Advanced Custom Fields is a popular plugin which allows site owners to add extra content fields to WordPress screens in order to create a much more dynamic website. These “Custom Fields” allow website owners to build websites at a faster pace and with many more fields.
Like any other piece of software, vulnerabilities can exist in WordPress plugins. Researchers identified a XSS vulnerability contained in both the pro and free versions of the Advanced Custom Fields plugin.
“This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path,” Rafie Muhammad, Patchstack researcher said.
The vulnerability has been documented and identified as CVE-2023-30777. The vulnerability was remediated in version 6.1.6 of Advanced Custom Fields. Anyone running earlier versions are urged to update immediately.
Patchstack reports the following disclosure history, which shows the vendor took 2 months to patch the vulnerability:
- 02-05-2023 – Patchstack found the vulnerability and reached out to the plugin vendor.
- 04-05–2023 – Advanced Custom Fields free and pro plugin version 6.1.6 was published to patch the reported issues.
- 05-05-2023 – Added the vulnerabilities to the Patchstack vulnerability database.
At the end of the day, while we can only patch software as soon as patches are made available. Clearly, vulnerabilities can go unnoticed in the wild for long periods of time.