WordPress Custom Field Plugin Bug Exposes Over 1M Sites to XSS Attacks

Cyber Security Threat Summary:
“Security researchers warn that the 'Advanced Custom Fields' and 'Advanced Custom Fields Pro' WordPress plugins, with millions of installs, are vulnerable to cross-site scripting attacks (XSS). The two plugins are among WordPress's most popular custom field builders, with 2,000,000 active installs on sites worldwide. Patchstack's researcher Rafie Muhammad discovered the high-severity reflected XSS vulnerability on May 2, 2023, which was assigned the identifier CVE-2023-30777. XSS bugs generally allow attackers to inject malicious scripts on websites viewed by others, resulting in the execution of code on the visitor's web browser. Patchstack says the XSS flaw could allow an unauthenticated attacker to steal sensitive information and escalate their privileges on an impacted WordPress site” (Bleeping Computer, 2023).

According to Muhammad, the flaw can be triggered on a default installation or configuration of the Advanced Custom Fields plugin. Furthermore, XSS can be only triggered from logged into users that have access to the plugin, meaning that an malicious threat actor would need to social engineer a logged in victim to visit a malicious URL.

Suggested Corrections:
CVE-2023-30777 is due to an improper output sanitization in the “admin_body_class” function handler that is designed to control and filter the CSS classes (design and layout) for the main body tag in the admin area of WordPress sites.

”An attacker can leverage an unsafe direct code concatenation on the plugin's code, specifically the '$this→view' variable, to add harmful code (DOM XSS payloads) in its components that will pass to the final product, a class string” (Bleeping Computer, 2023).

A new function has since then been implemented to resolve the XSS issue, named ”esc_attr,” which is capable of properly sanitizing the output value of the admin_body_class hook.

Suggested Corrections:
All users of 'Advanced Custom Fields' and 'Advanced Custom Fields Pro' are advised to upgrade to version 6.1.6 or later as soon as possible. Based on WordPress.org download stats, 72.1% of the plugin's users are still using versions below 6.1, which are vulnerable to XSS and other known flaws.

Link:
https://www.bleepingcomputer.com/