May 8, 2023

Following the discovery of CVE-2023-30777, a security flaw characterized by reflected cross-site scripting (XSS), users of the Advanced Custom Fields plugin for WordPress are advised to update to version 6.1.6.

Malicious actors might use this flaw to insert arbitrary executable programs onto otherwise harmless websites. According to Patchstack researcher Rafie Muhammad, the vulnerability enables any unauthenticated user to collect critical information in order to acquire power escalation on the WordPress site by luring a privileged user into visiting the generated URL route.

According to Muhammad, reflected XSS attacks often occur when users are conned into clicking on a phony link delivered by email or another method, allowing the malicious code to be transferred to the susceptible website, which then reflects the attack back to the user’s browser.

According to Shubham Shah of Assetnote, the attacker may target not only the cPanel control ports, but also the apps running on ports 80 and 443. This might result in the hijacking of a genuine user’s cPanel session. When a person gets access to a cPanel user’s account, it is usually simple to upload a web shell and execute instructions on that user’s behalf.

CVE-2023-30777 may be enabled on a default Advanced Custom Fields installation or configuration, but only by logged-in users who have access to the plugin.

The sources for this piece include an article in TheHackerNews.