New XSS Cybersecurity Breach Leaves Over 2 Million WordPress Users Unprotected
In the wake of a newly discovered cybersecurity vulnerability, over two million WordPress users are at risk
Photo: Unsplash
The vulnerability, found within the widely used Advanced Custom Fields plugin, impacts both the free and pro versions, necessitating immediate updates to version 6.1.6.
Termed as CVE-2023-30777, the cross-site-scripting (XSS) issue enables the injection of executable scripts into webpages. The vulnerability can be exploited on any default installation or configuration, with the only prerequisite being that the perpetrators are logged-in users with plugin access.
"This vulnerability stems from the direct construction of a variable on the HTML without adequate sanitization. Applying the esc_attr function is sufficient to rectify the issue," explains Do Son from SecurityOnline.info.
The security breach operates by deceiving users into clicking a URL path through a reflected XSS attack. This action facilitates privilege escalation for unauthenticated users, enabling them to pilfer sensitive data.
As reported by Hacker News, the reach of these attacks is usually limited, prompting attackers to disseminate the malicious link as widely as possible.
A recently discovered parallel XSS flaw in cPanel permits threat actors to commandeer a legitimate user's cPanel session and exploit applications running on ports 80 and 443.
In response to the new vulnerability, WordPress users using Advanced Custom Fields plugin versions 6.1.5 or below are urged to upgrade to the latest version, 6.1.6.