WordPress Plugin Hole Puts '2 Million Websites' At Risk

A vulnerability in the "Advanced Custom Fields" plugin for WordPress is putting more than two million users at risk of cyberattacks, warns Patchstack researcher Rafie Muhammad. The Register reports: A warning from Patchstack about the flaw claimed there are more than two million active installs of the Advanced Custom Fields and Advanced Custom Fields Pro versions of the plugins, which are used to give site operators greater control of their content and data, such as edit screens and custom field data. Patchstack researcher Rafie Muhammad uncovered the vulnerability on February 5, and reported it to Advanced Custom Fields' vendor Delicious Brains, which took over the software last year from developer Elliot Condon. On May 5, a month after a patched version of the plugins was released by Delicious Brains, Patchstack published details of the flaw. It's recommended users update their plugin to at least version 6.1.6.

The flaw, tracked as CVE-2023-30777 and with a CVSS score of 6.1 out of 10 in severity, leaves sites vulnerable to reflected XSS attacks, which involve miscreants injecting malicious code into webpages. The code is then "reflected" back and executed within the browser of a visitor. Essentially, it allows someone to run JavaScript within another person's view of a page, allowing the attacker to do things like steal information from the page, perform actions as the user, and so on. That's a big problem if the visitor is a logged-in administrative user, as their account could be hijacked to take over the website.

"This vulnerability allows any unauthenticated user [to steal] sensitive information to, in this case, privilege escalation on the WordPress site by tricking the privileged user to visit the crafted URL path," Patchstack wrote in its report. The outfit added that "this vulnerability could be triggered on a default installation or configuration of Advanced Custom Fields plugin. The XSS also could only be triggered from logged-in users that have access to the Advanced Custom Fields plugin."

ArmoredSkink

[The Evil Atheist]

Hey look, Skink, another vulnerability when using a memory safe language!

Blogosphere

[TwistedGreen]

Pretty much any site running Wordpress only exists to serve Google ads, so I don't get why Google doesn't just make their own super-secure open-source blogging system and make it free for everyone to use. Then they can abandon it in 3-5 years.

Re:Blogosphere

[R_Ramjet]

Wordpress is used by 810,000,000 websites, which is 43% of all websites on the internet, according to https://colorlib.com/wp/wordpr... [colorlib.com].

Re:

[TwistedGreen]

So this vulnerability only affects 0.002% of Wordpress sites, that puts things into perspective.

Re:

[derplord]

Oh look at Twisted, what an edgelord you are - here's your prize.

So just you know, I've had _tons_ of clients who run extranet/intranet as well as their primary facing website either on pretty vanilla Wordpress or then very customized Wordpress that looks nothing like it on the outside because of its ability to be heavily customized.

Re:

[John Smith 2309]

Found the drupal user. No wait... Laravel! (snicker)

A WordPress pluggin with a security hole?

[Tablizer]

super rare, like gaffes from the top Presidential candidates.

So many holes

[PPH]

Can you still call it Swiss cheese if there are so many holes that there's no cheese left?

Re:

[Waccoon]

Ironically, modern cheese processing is so hygienic, that we have to add impurities to Swiss cheese on purpose to create the holes.

Comparing web application security to Swiss cheese is an insult to the food industry. 8)

why the article?

[bloodhawk]

For wordpress this is just a normal day at the park. If we are going to see an article everytime there is a medium vulnerability for wordpress then we are going to be drowning in them. At least limit the accepted stories to the high and critical ones.

Re:

[whoever57]

This isn't even a vulnerability in Wordpress: it's a vulnerability in a Wordpress PLUGIN.

Re:

[Anonymous Coward]

The problem is, the Shitty developers are the ones building the WordPress framework. WordPress has awesome capabilities and flexibility, but it has fucking awful security implemented by monkeys that seem to have had little more than a passing whiff of what security is supposed to smell like.

Re:

[Tablizer]

> [the real problem] is the shitty developers!!!

They merely give the customer what they want, which is eye-candy/fads and a low price, reliability and safety are a distant second.

NOT '2 Million Websites'

[John Smith 2309]

"The XSS also could only be triggered from logged-in users that have access to the Advanced Custom Fields plugin." - so, only a tiny portion of actual installs are vulnerable - far less then 2 million.

Re:

[nicubunu]

Yes, you ARE bad at math. According to wordpress.org, there are "2+ million" installs of this plugin and the patch was released over a month ago. So the current number of vulnerable installs is much lower than 2M.

Re:

[John Smith 2309]

Note that the condition for vulnerablilty is that the plugin be accessible to registered users. Go find one. I'll wait. It will be about 0.1% of that 2M that is actually vulnerable. You should know what you are talking about before you open your mouth.

Re:

[DarkOx]

Well Wordpress last time I looked (not that long ago) still had multiple methods of user enumeration, all neatly filled away as 'won't fix'.

Now this is an XSS vuln so I'll admit if you manage to do a cred-stuffing attack etc and already compromise the account by guessing the credential, I am unsure how you are going to make such a compromise worse unless you can cause other users to run the script.

XSS / CSRF / remote include attacks, even they are in authenticated contexts often represent privilege escalati

#1 target even when it's not there

[Mozai]

I can tell when a new wordpress exploit came out because my NON-Wordpress sites get a rush of new "404 Not Found" requests.

Anyone else remember when "phpmyadmin" was the most frequent target?