Hackers began exploiting a recently patched vulnerability in the Advanced Custom Fields WordPress plugin (CVE-2023-30777) just 24 hours after a proof-of-concept (PoC) exploit for it was published. The vulnerability, which is a reflected cross-site scripting (XSS) issue, allows unauthenticated attackers to steal sensitive information and elevate their privileges on vulnerable WordPress sites. The plugin has more than two million active installations.
Patchstack discovered the vulnerability on May 2, 2023 and disclosed it along with the PoC exploit on May 5, the day after the plugin developer released an update to version 6.1.6. The vulnerability requires interaction with a logged-in user who has access to the plugin to run malicious code in the browser, which ultimately provides attackers with highly privileged access to the site.
According to Akamai experts, since May 6, 2023, there has been noticeable activity to scan and exploit this bug, with attackers using the exploit published in the Patchstack article. The experts noted that the attackers copied and used the sample code from the Patchstack article.
With more than a million sites yet to update the plugin to the latest version, there is a vast field of activity for attackers. It is important for WordPress site owners to ensure that their plugins are up to date to avoid potential exploitation of vulnerabilities.
