Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

WordPress Field Builder Plugin Vulnerability Exploited in Attacks Two Days After Patch

PoC exploit targeting an XSS vulnerability in the Advanced Custom Fields WordPress plugin started being used in malicious attacks two days after patch.

Threat actors were seen adopting public proof-of-concept (PoC) exploit code targeting a cross-site scripting (XSS) vulnerability in the Advanced Custom Fields WordPress plugin only two days after a patch was released, Akamai reports.

Tracked as CVE-2023-30777, the high-severity vulnerability could allow attackers to inject malicious scripts and other payloads into vulnerable websites. The code would be executed when guests visit the website.

Resulting from an improper sanitization of output in a function configured as an extra handler for a WordPress hook, the issue can be triggered on default plugin installations and does not require authentication for successful exploitation.

CVE-2023-30777 was addressed with the release of Advanced Custom Fields version 6.1.6 on May 4. The patch was included in version 5.12.6 of the plugin as well.

Exploitation attempts targeting the vulnerability, Akamai says, started ramping up on May 6, two days after the patch and one day after technical information on the bug were published.

According to Akamai, the most interesting aspect of the observed attacks was the fact that they were using the same PoC exploit that WordPress security company Patchstack, which identified the vulnerability, published on May 5.

Advertisement. Scroll to continue reading.

The threat actor behind this increasing volume of attacks that targeted organizations across multiple sectors does not appear sophisticated, given their “complete lack of effort to create a new exploit code”, Akamai notes.

With more than two million WordPress websites using Advanced Custom Fields, exploitation of CVE-2023-30777 will likely continue. Users are advised to update their installations as soon as possible.

Related: 1 Million WordPress Sites Impacted by Exploited Plugin Vulnerability

Related: Abandoned WordPress Plugin Abused for Backdoor Deployment

Related: WordPress Plugin Vulnerability Exposed Ferrari Website to Hackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.