Threat actors were seen adopting public proof-of-concept (PoC) exploit code targeting a cross-site scripting (XSS) vulnerability in the Advanced Custom Fields WordPress plugin only two days after a patch was released, Akamai reports.
Tracked as CVE-2023-30777, the high-severity vulnerability could allow attackers to inject malicious scripts and other payloads into vulnerable websites. The code would be executed when guests visit the website.
Resulting from an improper sanitization of output in a function configured as an extra handler for a WordPress hook, the issue can be triggered on default plugin installations and does not require authentication for successful exploitation.
CVE-2023-30777 was addressed with the release of Advanced Custom Fields version 6.1.6 on May 4. The patch was included in version 5.12.6 of the plugin as well.
Exploitation attempts targeting the vulnerability, Akamai says, started ramping up on May 6, two days after the patch and one day after technical information on the bug were published.
According to Akamai, the most interesting aspect of the observed attacks was the fact that they were using the same PoC exploit that WordPress security company Patchstack, which identified the vulnerability, published on May 5.
The threat actor behind this increasing volume of attacks that targeted organizations across multiple sectors does not appear sophisticated, given their “complete lack of effort to create a new exploit code”, Akamai notes.
With more than two million WordPress websites using Advanced Custom Fields, exploitation of CVE-2023-30777 will likely continue. Users are advised to update their installations as soon as possible.
Related: 1 Million WordPress Sites Impacted by Exploited Plugin Vulnerability
Related: Abandoned WordPress Plugin Abused for Backdoor Deployment
Related: WordPress Plugin Vulnerability Exposed Ferrari Website to Hackers