Skip to main content
  1. Home
  2. Computing
  3. News

A new WordPress bug may have left 2 million sites vulnerable

By

A flaw in two WordPress custom plug-ins leaves users vulnerable to cross-site scripting attacks (XSS), according to a recent report.

Patchstack researcher Rafie Muhammad recently discovered an XSS flaw in the Advanced Custom Fields and Advanced Custom Fields Pro plug-ins, which are actively installed by over 2 million users worldwide, according to Bleeping Computer.

Recommended Videos

The flaw, called CVE-2023-30777 was discovered on May 2 and was given a high-severity prominence. The plug-ins’ developer, WP Engine, quickly provided a security update, version 6.1.6, within days of learning about the vulnerability,on May 4.

Related

The popular custom field builders allow users to have full control of their content management system from the back end, with WordPress edit screens, custom field data, and other features.

However, XSS bugs can be seen in a front-facing fashion and work by injecting “malicious scripts on websites viewed by others, resulting in the execution of code on the visitor’s web browser,” Bleeping Computer added.

This could leave website visitors open to having their data stolen from infected WordPress sites, Patchstack noted.

Specifics about the XSS vulnerability indicate that it might be triggered by a “default installation or configuration of the Advanced Custom Fields plug-in.” However, users would have to have logged-in access to the Advanced Custom Fields plug-in to trigger it in the first place, meaning a bad actor would have to trick someone with access to trigger the flaw, the researchers added.

The CVE-2023-30777 flaw can be found in the admin_body_class function handler, in which a bad actor can inject malicious code. In particular, this bug injects DOM XSS payloads into the improperly drafted code, which is not caught by the code’s sanitize output, a security measure of sorts, which is part of the flaw.

The fix on version 6.1.6 introduced the admin_body_class hook, which blocks the XSS attack from being able to execute.

Users of Advanced Custom Fields and Advanced Custom Fields Pro should upgrade the plug-ins to version 6.1.6 or later. Many users remain susceptible to attack, with approximately 72.1% of WordPress.org plug-in users having versions running below 6.1. This makes their websites vulnerable not only to XSS attacks but also to other flaws in the wild, the publication said.

Editors’ Recommendations

Topics
Fionna Agomuoh
Fionna Agomuoh
Computing Writer
Fionna Agomuoh is a Computing Writer at Digital Trends. She covers a range of topics in the computing space, including…
Hurry! The M4 MacBook Pro just got an unheard of discount
Someone using a MacBook Pro at a desk.

The 2024 MacBook Pro with M4 chip hasn't even been out for a month, but it already has its first major discount. Amazon just knocked $200 off the 14-inch configuration, dropping the price to $1,399 from $1,599. While a $200 discount on a MacBook isn't world-shattering, the fact that this laptop is so new makes this an unheard of deal. Let's dive into some other noteworthy aspects of this sale.

Why you should buy the MacBook Pro M4
This specific configuration of the M4 Pro has a 10-core CPU, 10-core GPU, 16GB of RAM and 512GB of SSD storage. The 16GB of RAM is particularly noteworthy, as it's the new standard for Apple. That makes this a better deal than some of the M3 models with 8GB of RAM. This model of course comes with Apple's signature Liquid Retina XDR display on its 14.2-inch screen, and it's ready for Apple Intelligence.

Read more
Google may finally bring back the Pixelbook, but not how you think
google pixelbook i7 price cut amazon

One of Google’s upcoming big projects could be a high-end laptop slated to be the next rival of the MacBook Pro.

An internal email obtained by Android Headlines detailed that Google has greenlit a project for a device codenamed “Snowy.” The email suggests the device is a laptop with premium specifications similar to the Dell XPS, Microsoft Surface Laptop, the Samsung Galaxy Chromebook, and the brand’s largest competitor, Apple’s MacBook Pro. With the project past the concept phase, it would likely be quickly expanded into a viable product under the Pixel line.

Read more
Best early Black Friday deals under $100: Amazon Echo, TVs, headphones and more
The Amazon Echo Pop on a desk.

Update 11/19/24: Black Friday is still over a week away, but you can already start your shopping with the Black Friday deals under $100 that we've gathered here. There's a possibility that these affordable items get even bigger discounts when the sale officially launches, but we won't blame you if you're already tempted by today's prices.

Black Friday will start on November 29, but if you've already got the itch to shop, check out the early Black Friday deals under $100 that we've gathered here. The offers cover smart home devices, laptops, TVs, kitchen gadgets, and so much more, so if you want to start enjoying discounts without blowing your entire budget for the shopping event, take a look at our favorite bargains below.

Read more