WordPress users with the Advanced Custom Fields plugin on their website should upgrade after the discovery of a vulnerability in the code that could open up sites and their visitors to cross-site scripting (XSS) attacks.
A warning from Patchstack about the flaw claimed there are more than two million active installs of the Advanced Custom Fields and Advanced Custom Fields Pro versions of the plugins, which are used to give site operators greater control of their content and data.
Patchstack researcher Rafie Muhammad uncovered the vulnerability on May 2, and reported it to Advanced Custom Fields' vendor Delicious Brains, which took over the software last year from developer Elliot Condon.
On May 5, a month after a patched version of the plugins was released by Delicious Brains, Patchstack published details of the flaw. It's recommended users update their plugin to at least version 6.1.6.
The flaw, tracked as CVE-2023-30777 and with a CVSS score of 6.1 out of 10 in severity, leaves sites vulnerable to reflected XSS attacks, which involve miscreants injecting malicious code into webpages. The code is then "reflected" back and executed within the browser of a visitor.
Essentially, it allows someone to run JavaScript within another person's view of a page, allowing the attacker to do things like steal information from the page, perform actions as the user, and so on. That's a big problem if the visitor is a logged-in administrative user, as their account could be hijacked to take over the website.
"This vulnerability allows any unauthenticated user [to steal] sensitive information to, in this case, privilege escalation on the WordPress site by tricking the privileged user to visit the crafted URL path," Patchstack wrote in its report.
WordPress, which celebrates its 20th birthday this month, remains the most popular content management system in the world, used by 43.2 percent of all websites, according to W3Techs. Because of the hundreds of millions of sites that use it, WordPress also has become a popular target of miscreants that want to exploit any flaws in the system - it's where the money is.
According to a Patchstack survey, there was a 150 percent increase in the number of WordPress vulnerabilities reported between 2020 and 2021, and 29 percent of plugins with critical vulnerabilities at the time remained unpatched.
In addition, WordPress' ease-of-use lets anyone from tech hobbyists to professionals to quickly set up a website, adding to the security risks with the platform, according to Melissa Bischoping, director of endpoint security research at cybersecurity firm Tanium.
"Because many of the plugins available for WordPress sites are developed by the community, they may not be regularly audited and maintained," Bischoping told The Register. "The plugins themselves may contain security vulnerabilities and it is also easy to misconfigure permissions or plugin settings, exposing additional opportunities for exploit."
"The vast majority of bloggers and small business owners that run WordPress sites … are not cybersecurity experts," Ellis said. "WordPress certainly needs updating on a consistent basis, especially if you have a website that has a number of plugins and third-party code."
Trumbull Tech has partnered with Wix to provide secure and seamless hosting, online merchant services with out the overhead and and pathing maintenance. Learn more at trumbull.tech
Comments