The vulnerability was initially discovered in May 2023 by Rafie Muhammad, a researcher at Patchstack, who promptly reported it to the plugin’s vendor, Delicious Brains. The vulnerability was assigned the tracking number CVE-2023-30777 and was rated 6.1 out of 10 in terms of severity. Two months later, in early April, Delicious Brains released a patch that addressed the vulnerability, updating the plugin to version 6.1.6. Website administrators are strongly advised to update their Advanced Custom Fields plugin to this version as soon as possible, particularly if they are concerned about cross-site scripting attacks.
Patchstack highlights that this vulnerability allowed any unauthenticated user to steal sensitive information or escalate privileges on WordPress sites by tricking privileged users into visiting a specially crafted URL path. The vulnerability could be triggered in the default installation or configuration of the Advanced Custom Fields plugin and could only be exploited by logged-in users with access to the plugin, as stated by the researchers.
