"New Vulnerability in Popular WordPress Plugin Exposes Over 2 Million Sites to Cyberattacks"
Users of the Advanced Custom Fields plugin for WordPress are urged to update to version 6.1.6. The plugin has been discovered to contain a vulnerability, tracked as CVE-2023-30777, which relates to reflected cross-site scripting (XSS). It could be exploited to inject arbitrary executable scripts into websites. The plugin has over two million active installations and is available in both free and paid versions. On May 2, 2023, the problem was detected and reported to the maintainers. According to Patchstack researcher Rafie Muhammad, this vulnerability allows any unauthenticated user to steal sensitive information and gain escalated privileges on the WordPress site by tricking a privileged user into visiting a crafted URL path. Reflected XSS attacks typically occur when victims are lured into clicking on a fraudulent link received via email or another method, enabling the malicious code to be transferred to the vulnerable website, where it is reflected back to the user's browser. Since reflected XSS attacks do not have the same reach and scale as stored XSS attacks, threat actors will spread the malicious link to as many victims as possible. This article continues to discuss the potential exploitation and impact of the vulnerability found in the Advanced Custom Fields plugin for WordPress.