WordPress custom field plugin bug exposes over 1M sites to XSS attacks

WordPress

Security researchers warn that the ‘Advanced Custom Fields’ and ‘Advanced Custom Fields Pro’ WordPress plugins, with millions of installs, are vulnerable to cross-site scripting attacks (XSS).

The two plugins are among WordPress’s most popular custom field builders, with 2,000,000 active installs on sites worldwide.

Patchstack’s researcher Rafie Muhammad discovered the high-severity reflected XSS vulnerability on May 2, 2023, which was assigned the identifier CVE-2023-30777.

XSS bugs generally allow attackers to inject malicious scripts on websites viewed by others, resulting in the execution of code on the visitor’s web browser.

Patchstack says the XSS flaw could allow an unauthenticated attacker to steal sensitive information and escalate their privileges on an impacted WordPress site.

“Note that this vulnerability could be triggered on a default installation or configuration of Advanced Custom Fields plugin,” explains Patchstack in the bulletin.

“The XSS also could only be triggered from logged-in users that have access to the Advanced Custom Fields plugin.”

This means that the unauthenticated attacker would still have to social engineer someone with access to the plugin to visit a malicious URL to trigger the flaw.

The plugin’s developer was notified of the issue upon Patchstack’s discovery and released a security update on May 4, 2023, in version 6.1.6.

The XSS flaw

The CVE-2023-30777 flaw stems from the ‘admin_body_class’ function handler, which failed to properly sanitize the output value of a hook that controls and filters the CSS classes (design and layout) for the main body tag in the admin area of WordPress sites.

The 'admin_body_class' function code
The ‘admin_body_class’ function (Patchstack)

An attacker can leverage an unsafe direct code concatenation on the plugin’s code, specifically the ‘$this→view’ variable, to add harmful code (DOM XSS payloads) in its components that will pass to the final product, a class string.

The cleaning function used by the plugin, ‘sanitize_text_field,’ will not stop the attack because it won’t catch the malicious code injection.

Accessing 'this->view’ variable through the ‘current_screen’ function” height=”212″ src=”https://www.bleepstatic.com/images/news/u/1220909/2023/WordPress/8/this-post.jpg” width=”766″><figcaption><strong>Accessing ‘this->view’ variable through the ‘current_screen’ function</strong> <em>(Patchstack)</em></figcaption></figure></div>
<p>The developer fixed the flaw in version 6.1.6 by implementing a new function named ‘<a href=esc_attr‘ that properly sanitizes the output value of the admin_body_class hook, hence, preventing the XSS.

All users of ‘Advanced Custom Fields’ and ‘Advanced Custom Fields Pro’ are advised to upgrade to version 6.1.6 or later as soon as possible.

Based on WordPress.org download stats, 72.1% of the plugin’s users are still using versions below 6.1, which are vulnerable to XSS and other known flaws.


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn