Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security The Internet

WordPress Plugin Hole Puts '2 Million Websites' At Risk (theregister.com) 30

A vulnerability in the "Advanced Custom Fields" plugin for WordPress is putting more than two million users at risk of cyberattacks, warns Patchstack researcher Rafie Muhammad. The Register reports: A warning from Patchstack about the flaw claimed there are more than two million active installs of the Advanced Custom Fields and Advanced Custom Fields Pro versions of the plugins, which are used to give site operators greater control of their content and data, such as edit screens and custom field data. Patchstack researcher Rafie Muhammad uncovered the vulnerability on February 5, and reported it to Advanced Custom Fields' vendor Delicious Brains, which took over the software last year from developer Elliot Condon. On May 5, a month after a patched version of the plugins was released by Delicious Brains, Patchstack published details of the flaw. It's recommended users update their plugin to at least version 6.1.6.

The flaw, tracked as CVE-2023-30777 and with a CVSS score of 6.1 out of 10 in severity, leaves sites vulnerable to reflected XSS attacks, which involve miscreants injecting malicious code into webpages. The code is then "reflected" back and executed within the browser of a visitor. Essentially, it allows someone to run JavaScript within another person's view of a page, allowing the attacker to do things like steal information from the page, perform actions as the user, and so on. That's a big problem if the visitor is a logged-in administrative user, as their account could be hijacked to take over the website.

"This vulnerability allows any unauthenticated user [to steal] sensitive information to, in this case, privilege escalation on the WordPress site by tricking the privileged user to visit the crafted URL path," Patchstack wrote in its report. The outfit added that "this vulnerability could be triggered on a default installation or configuration of Advanced Custom Fields plugin. The XSS also could only be triggered from logged-in users that have access to the Advanced Custom Fields plugin."

This discussion has been archived. No new comments can be posted.

WordPress Plugin Hole Puts '2 Million Websites' At Risk

Comments Filter:
  • ArmoredSkink (Score:2, Interesting)

    Hey look, Skink, another vulnerability when using a memory safe language!
  • Blogosphere (Score:4, Funny)

    by TwistedGreen ( 80055 ) on Monday May 08, 2023 @10:02PM (#63507943)

    Pretty much any site running Wordpress only exists to serve Google ads, so I don't get why Google doesn't just make their own super-secure open-source blogging system and make it free for everyone to use. Then they can abandon it in 3-5 years.

  • super rare, like gaffes from the top Presidential candidates.

  • by PPH ( 736903 ) on Monday May 08, 2023 @11:23PM (#63508007)

    Can you still call it Swiss cheese if there are so many holes that there's no cheese left?

    • Ironically, modern cheese processing is so hygienic, that we have to add impurities to Swiss cheese on purpose to create the holes.

      Comparing web application security to Swiss cheese is an insult to the food industry. 8)

  • For wordpress this is just a normal day at the park. If we are going to see an article everytime there is a medium vulnerability for wordpress then we are going to be drowning in them. At least limit the accepted stories to the high and critical ones.
  • "The XSS also could only be triggered from logged-in users that have access to the Advanced Custom Fields plugin." - so, only a tiny portion of actual installs are vulnerable - far less then 2 million.
  • I can tell when a new wordpress exploit came out because my NON-Wordpress sites get a rush of new "404 Not Found" requests.

    Anyone else remember when "phpmyadmin" was the most frequent target?

Any programming language is at its best before it is implemented and used.

Working...