WordPress users utilizing the Advanced Custom Fields plugin are strongly advised to update to version 6.1.6 immediately. A security vulnerability has been uncovered, prompting this urgent action.
The Advanced Custom Fields 6.1.6 vulnerability, known as CVE-2023-30777, involves a case of reflected cross-site scripting (XSS) that poses a risk of injecting arbitrary executable scripts into otherwise benign websites. With over two million active installations, the Advanced Custom Fields plugin is available free and as a paid pro version. The security flaw was discovered and reported on May 2, 2023.
According to Rafie Muhammad, a researcher from Patchstack, this vulnerability enables unauthenticated users to exploit the flaw and potentially engage in privilege escalation or steal sensitive information from WordPress sites. The attack relies on tricking privileged users into accessing a specifically crafted URL path.
Reflected XSS attacks commonly occur when unsuspecting victims are enticed into clicking on fraudulent links sent via email or other means. This action leads to the transmission of malicious code to the vulnerable website, which then reflects the attack back to the user’s web browser.
To safeguard your WordPress site, it is crucial to prioritize updating your Advanced Custom Fields plugins without delay.