WordPress plugin vulnerability affected more than 2 million sites

Published May 9, 2023
Author: Ash Khan

WordPress plugin vulnerability affected more than 2 million sites

Published May 9, 2023
Author: Ash Khan

Following a security issue, users of the Advanced Custom Fields WordPress plugins are being recommended to update to version 6.1.6.

The security flaw, known as CVE-2023-30777 is reflected in cross-site scripting (XSS). Moreover, it may be exploited to insert arbitrary executable programmes into otherwise secure web pages.

There are more than two million active installs of the plugin, which is offered in both a free and a pro edition. On May 2, 2023, the problem was identified and reported to the maintainers.

Vulnerable WordPress Plugins

According to a cybersecurity website researcher, this vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress hosted site by tricking a privileged user to visit the crafted URL path. 

In reflected XSS attacks, targets are tricked into clicking on fake links supplied via email or another channel. Then it sends the malicious code to the susceptible website and reflects the attack to the user’s browser.

Due to aspect of social engineering, reflected XSS attacks don’t have the same reach and scope as stored XSS attacks. Furthermore, the threat actors spread the malicious link to as many victims as they can.

According to a security service website, A reflected XSS attack is caused by incoming requests that were not sufficiently sanitized. This enables the manipulation of a web application‘s functions and the activation of malicious scripts.

The CVE-2023-30777 can be enabled on an Advanced Custom Fields installation or configuration that is set up by default. It is important to note, however, that only logged-in users with access to the plugin can do this.

Hackers might use the two medium-severity XSS weaknesses (CVE-2023-30177 and CVE-2023-31144) that Craft CMS fixed to serve malicious payloads.

It also comes after the publication of another XSS weakness in cPanel CVE-2023-29489, CVSS score: 6.1. This may be used to run arbitrary JavaScript without any authentication.

Another security researcher stated that an attacker can not only attack the management ports of cPanel but also the applications that are running on ports 80 and 443, adding that it might allow an adversary to hijack a legitimate user’s cPanel session.

It is often simple to upload a web shell and obtain command execution once operating on behalf of a cPanel authorised user.

Post Views: 183
0

Popular Tags

API Integration Branding Services Business Cloud Backup storage cloud storage Cloud VPS Server Hosting Database Services Digital Marketing eBay Store Email Hosting Email Marketing & CRM Email security Explainer Video Facebook Ads Fast Vpn FTP hosting GMAIL Google Ads Google Workspace hacked website repair IT Support Services Linux Managed AWS Cloud Managed Azure Cloud Microsoft 365 Microsoft Office 365 Microsoft Teams Integration mobile apps Outlook email Reseller Hosting SEO Services Server Management SIM Hosting Service SMS Services Social Media Marketing SQL Services Transfer Domain Name Vulnerability Assessment web applications Web Hosting Web Maintenance Website Designing website repair services Website Security Wordpress Hosting

Latest Posts