Vulnerability in popular WordPress plugin leaves more than 2 million websites exposed

Security researchers from Patchstack, a WordPress security company, have discovered a vulnerability in the Advanced Custom Fields (ACF) plugin for WordPress that allows for an XSS attack.

The XSS vulnerability, CVE-2023−30 777, is related to cross-site scripting (Reflected XSS), which allows injecting arbitrary executable scripts into target sites.

According to Patchstack, the issue allows an unauthenticated attacker to steal confidential information and escalate privileges on a WordPress site by tricking a privileged user into visiting a crafted URL.

It’s worth noting that CVE-2023−30 777 can be activated during the standard installation or configuration of Advanced Custom Fields, although this is only possible for users who are logged in and have access to the plugin. The Advanced Custom Fields plugin is installed on more than 2 million websites. The issue was discovered and reported to the development team on May 2. Users of the plugin are recommended to update to version 6.1.6.