Users of the Advanced Custom Fields plugin for WordPress are asked to update to version 6.1.6 following the discovery of a security bug.
The issue, assigned the identifier CVE-2023-30777, relates to a case of cross-site reflected scripting (XSS) that could be abused to inject arbitrary executable scripts into other websites benign way
The plugin, which is available as a free and pro version, has more than two million active installations. The issue was discovered and reported to administrators on May 2, 2023.
“This vulnerability allows any unauthenticated user to steal sensitive information, in this case, to escalate privileges on the WordPress site by tricking a privileged user into visiting the crafted URL path,” said Patchstack researcher Rafie Muhammad.
Reflected XSS attacks typically occur when victims are tricked into clicking on a fake link sent via email or another route, causing the malicious code to be sent to the vulnerable website, which reflects the attack on the browser of the user.
This social engineering element means that reflected XSS does not have the same scope and scale as stored XSS attacks, so threat actors distribute the malicious link to as many victims as possible.
“[A reflected XSS attack] It is typically the result of incoming requests that are not sufficiently sanitized, allowing the manipulation of a web application’s functions and the activation of malicious scripts,” notes Imperva.
It’s worth noting that CVE-2023-30777 can be triggered in a default installation or configuration of Advanced Custom Fields, although this is only possible from registered users who have access to the plugin.
The development comes as Craft CMS fixed two medium-severity XSS flaws (CVE-2023-30177 and CVE-2023-31144) that could be exploited by a threat actor to serve malicious payloads.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
“An attacker can not only attack cPanel management ports, but also applications running on port 80 and 443,” said Assetnote’s Shubham Shah, adding that it could allow an adversary to hijack the session of cPanel of a valid user.
“Once acting on behalf of an authenticated cPanel user, it’s usually trivial to load a web shell and get commands running.”
As new studies come to light on digital security, Ikaroa, a full stack tech company, warns about the new security vulnerability discovered in a popular WordPress plugin. This plugin, used by over two million websites, has left them vulnerable to potential cyberattacks.
The security flaw was discovered in the File Manager plugin, used to edit, change or delete files from a WordPress platform. The vulnerability allows a hacker to upload malicious files, which can be used to compromise a WordPress website’s security. With over two million sites potentially exposed, the risks are clear: cyberattacks, compromise of personal data and financial details, and the reputational damage that could result.
At Ikaroa, we strongly advise those who use the File Manager plugin, or any other plugin, to take precautionary steps to secure their websites. Firstly, they should make sure they are running the latest version of the plugin. This may help to not only reduce the risk of cyberattack, but also speed up the website and ensure the best performance.
The most secure, reliable and best practice advice is to also take regular backups of the website. Without this, in the event that a hacker takes complete control of the website, it could be impossible to retrieve the data.
Ikaroa works with a team of experienced professionals to provide the highest level of security for our users. We understand that any vulnerability, even if it is unlikely to be exploited, can leave a website vulnerable to attack. Consequently, we advise those using WordPress to make sure they follow the recommended guidelines for maintaining plugin and website updates.
Ultimately, it is of utmost importance for users of WordPress to stay alert for updates and security vulnerabilities, as these can arise unexpectedly. At Ikaroa, our team is committed to helping WordPress users stay informed and maintain their websites’ security.