WordPress plugin security flaw could affect millions of websites – how to check if you’re vulnerable

A serious security vulnerability has been discovered in the Advanced Custom Fields plugin, a popular tool for the WordPress website builder. With over two million active installs, the plugin allowed threat actors to exploit a flaw and potentially steal sensitive data from website visitors or even take complete control of the website.

The Advanced Custom Fields plugin, along with its Pro version, provides website administrators with enhanced control over content and data management. However, the plugin was found to be susceptible to a cross-site scripting (XSS) attack, which enables attackers to inject malicious code into vulnerable websites. When visitors access the compromised website, the injected code executes in their browsers, allowing the attackers to extract sensitive information. In some cases, if the visitor happens to be the site’s administrator, the attacker can also gain access to their data, ultimately leading to a complete takeover of the website.

The vulnerability was initially discovered in May 2023 by Rafie Muhammad, a researcher at Patchstack, who promptly reported it to the plugin’s vendor, Delicious Brains. The vulnerability was assigned the tracking number CVE-2023-30777 and was rated 6.1 out of 10 in terms of severity. Two months later, in early April, Delicious Brains released a patch that addressed the vulnerability, updating the plugin to version 6.1.6. Website administrators are strongly advised to update their Advanced Custom Fields plugin to this version as soon as possible, particularly if they are concerned about cross-site scripting attacks.

Patchstack highlights that this vulnerability allowed any unauthenticated user to steal sensitive information or escalate privileges on WordPress sites by tricking privileged users into visiting a specially crafted URL path. The vulnerability could be triggered in the default installation or configuration of the Advanced Custom Fields plugin and could only be exploited by logged-in users with access to the plugin, as stated by the researchers.

According to The Register, this vulnerability is relatively straightforward and is one of four discovered in the Advanced Custom Fields plugin over the past couple of years. The incident highlights the importance of timely software updates and security patches to protect websites from potential vulnerabilities and safeguard sensitive user data.

Website administrators are encouraged to stay vigilant and promptly apply security patches and updates provided by plugin vendors to mitigate the risk of exploitation by malicious actors. Regular security audits and adherence to best practices are crucial to maintaining a secure online presence.