WordPress Bug Exposes

WordPress custom field plugin bug exposes over 1M sites to XSS attacks

@ndma 09 May 2023

Threat Actor



Security researchers warn that the 'Advanced Custom Fields' and 'Advanced Custom Fields Pro' WordPress plugins, with millions of installs, are vulnerable to cross-site scripting attacks (XSS).

The two plugins are among WordPress's most popular custom field builders, with 2,000,000 active installs on sites worldwide.

Patchstack's researcher Rafie Muhammad discovered the high-severity reflected XSS vulnerability on May 2, 2023, which was assigned the identifier CVE-2023-30777.

Note that this vulnerability could be triggered on a default installation or configuration of Advanced Custom Fields plugin. The XSS also could only be triggered from logged-in users that have access to the Advanced Custom Fields plugin. This means that the unauthenticated attacker would still have to social engineer someone with access to the plugin to visit a malicious URL to trigger the flaw.

The CVE-2023-30777 flaw stems from the 'admin_body_class' function handler, which failed to properly sanitize the output value of a hook that controls and filters the CSS classes (design and layout) for the main body tag in the admin area of WordPress sites.

An attacker can leverage an unsafe direct code concatenation on the plugin's code, specifically the '$this→view' variable, to add harmful code (DOM XSS payloads) in its components that will pass to the final product, a class string.

The cleaning function used by the plugin, 'sanitize_text_field,' will not stop the attack because it won't catch the malicious code injection.

The XSS could be executed using a payload similar to the following example:

http://<WORDPRESS_SITE>/wp-admin/edit.php?post_type=acf-field-group&post_status=xxxxxxx” onload=alert(document.domain) xxx=”

The reflected HTML structure displayed on the front-end might resemble:

<body class=”wp-admin wp-core-ui no-js acf-admin-5-3 acf-browser-chrome acf-admin-page acf-internal-post-type acf-admin-field-groups view-xxxxxxx\” onload=alert(document.domain) xxx=\” edit-php auto-fold admin-bar post-type-acf-field-group branch-6-2 version-6-2 admin-color-fresh locale-en-us no-customize-support no-svg”>


https://www.bleepingcomputer.com/news/security/wordpress-custom-field-plugin-bug-exposes-over-1m-sites-to-xss-attacks/ https://wordpress.org/plugins/advanced-custom-fields/advanced/ https://securityonline.info/cve-2023-30777-xss-flaw-found-in-wordpress-plugin-with-more-than-2-million-installations/

Last updated