XSS vulnerability found in popular WordPress plugins
Security researchers have discovered a vulnerability in two of the most popular WordPress custom field builders, 'Advanced Custom Fields' and 'Advanced Custom Fields Pro,' which are used by millions of sites worldwide. The plugins are vulnerable to cross-site scripting (XSS) attacks, which can be used by attackers to inject malicious scripts into websites, allowing them to execute code on the visitor's web browser.
The vulnerability was discovered by Patchstack's researcher Rafie Muhammad on May 2, 2023, and assigned the identifier CVE-2023-30777. The high-severity reflected XSS flaw is caused by the 'admin_body_class' function handler, which failed to properly sanitize the output value of a hook that controls and filters the CSS classes for the main body tag in the admin area of WordPress sites.
Patchstack warns that the vulnerability could be exploited by an unauthenticated attacker to steal sensitive information and escalate their privileges on an impacted WordPress site. The XSS flaw could only be triggered by logged-in users that have access to the Advanced Custom Fields plugin. This means that the attacker would still have to social engineer someone with access to the plugin to visit a malicious URL to trigger the flaw.
Plugin developer's response WordPress plugin vulnerability
Upon discovery, the plugin developer was notified of the issue and released a security update on May 4, 2023, in version 6.1.6, which fixes the vulnerability and prevents XSS attacks. All users of 'Advanced Custom Fields' and 'Advanced Custom Fields Pro' are advised to upgrade to version 6.1.6 or later immediately.
What is XSS?
Cross-site scripting (XSS) is a security vulnerability that enables attackers to insert harmful scripts into web pages that others view. These scripts can run on the victim's browser, giving the attacker access to sensitive information, like financial data or login credentials. The severity of an XSS attack can range from minor annoyances, like pop-up ads, to severe outcomes like identity theft or taking control of a user's device.
Typically, XSS attacks exploit input fields such as login forms or search bars, where users can enter data that is then displayed on the website without appropriate validation or sanitization.
How the vulnerability was resolved?
The developer fixed the flaw by implementing a new function named 'esc_attr' that properly sanitizes the output value of the admin_body_class hook, preventing the XSS. An attacker can leverage an unsafe direct code concatenation on the plugin's code, specifically the '$this?view' variable, to add harmful code (DOM XSS payloads) in its components that will pass to the final product, a class string. The cleaning function used by the plugin, 'sanitize_text_field,' will not stop the attack because it won't catch the malicious code injection.
Despite the availability of the security update, WordPress.org download stats reveal that 72.1% of the plugin's users are still using versions below 6.1, leaving them vulnerable to known flaws, including XSS. Therefore, it's essential that users update their plugins as soon as possible to avoid any security risks.
The 'Advanced Custom Fields' and 'Advanced Custom Fields Pro' plugins are widely used custom field builders on WordPress, making them a popular target for attackers. With millions of installs worldwide, the risk of XSS attacks can lead to significant damage to the affected sites. All users of these plugins are urged to update to version 6.1.6 or later immediately to avoid any security vulnerabilities.Advertisement