Skip to main content
  1. Home
  2. Computing
  3. News

A new WordPress bug may have left 2 million sites vulnerable

By

A flaw in two WordPress custom plug-ins leaves users vulnerable to cross-site scripting attacks (XSS), according to a recent report.

Patchstack researcher Rafie Muhammad recently discovered an XSS flaw in the Advanced Custom Fields and Advanced Custom Fields Pro plug-ins, which are actively installed by over 2 million users worldwide, according to Bleeping Computer.

Recommended Videos

The flaw, called CVE-2023-30777 was discovered on May 2 and was given a high-severity prominence. The plug-ins’ developer, WP Engine, quickly provided a security update, version 6.1.6, within days of learning about the vulnerability,on May 4.

Please enable Javascript to view this content

The popular custom field builders allow users to have full control of their content management system from the back end, with WordPress edit screens, custom field data, and other features.

Related

However, XSS bugs can be seen in a front-facing fashion and work by injecting “malicious scripts on websites viewed by others, resulting in the execution of code on the visitor’s web browser,” Bleeping Computer added.

This could leave website visitors open to having their data stolen from infected WordPress sites, Patchstack noted.

Specifics about the XSS vulnerability indicate that it might be triggered by a “default installation or configuration of the Advanced Custom Fields plug-in.” However, users would have to have logged-in access to the Advanced Custom Fields plug-in to trigger it in the first place, meaning a bad actor would have to trick someone with access to trigger the flaw, the researchers added.

The CVE-2023-30777 flaw can be found in the admin_body_class function handler, in which a bad actor can inject malicious code. In particular, this bug injects DOM XSS payloads into the improperly drafted code, which is not caught by the code’s sanitize output, a security measure of sorts, which is part of the flaw.

The fix on version 6.1.6 introduced the admin_body_class hook, which blocks the XSS attack from being able to execute.

Users of Advanced Custom Fields and Advanced Custom Fields Pro should upgrade the plug-ins to version 6.1.6 or later. Many users remain susceptible to attack, with approximately 72.1% of WordPress.org plug-in users having versions running below 6.1. This makes their websites vulnerable not only to XSS attacks but also to other flaws in the wild, the publication said.

Editors’ Recommendations

Topics
Fionna Agomuoh
Fionna Agomuoh
Computing Writer
Fionna Agomuoh is a Computing Writer at Digital Trends. She covers a range of topics in the computing space, including…
One of the best work-from-home laptops is $120 off at Dell
The Dell Inspiron 15 on a white background.

Dell laptop deals love to tempt us all year round, and today we're seeing a great option to help prepare you for the new year. Today, you can buy the Dell Inspiron 15 for $330 instead of $450. We consider it to be one of the best laptops around for anyone working from home and keeping costs down. Read on and we’ll take you through what it has to offer, but remember, that $120 discount won’t stick around forever.

Why you should buy the Dell Inspiron 15
Check out our extensive guide to the best laptops for working from home and you’ll see the Dell Inspiron 15 riding high up top. The range is well priced while offering just the hardware you need for a great experience when working. This particular model has an AMD Ryzen 5 7520U CPU as well as 8GB of RAM and 512GB of SSD storage. Basic stuff, sure, but the design of the laptop is built to last and very robust for the price.

Read more
Prepare your wallet — this RTX 5090 PC costs over $6,000
Acer Predator Orion 7000 sitting on a table.

It's safe to say that no one expects Nvidia's best graphics cards to be cheap, but wow, these leaked listings are something else. Otto.de, a German retailer, briefly listed two Acer Predator Orion gaming PCs equipped with the RTX 5090 and the RTX 5080, and the prices are pretty crazy. The PC that comes with the RTX 5090 was priced at 5,999 euros, or around $6,240.

These listings were taken down shortly after they appeared, but VideoCardz snapped some screenshots before it was too late. Both seem to be newer versions of the Acer Predator Orion, and are equipped with Nvidia's upcoming RTX 50-series graphics cards and Intel's Core Ultra 200 series CPUs.

Read more
Intel’s promised Arrow Lake autopsy details up to 30% loss in performance
The Core Ultra 9 285K socketed into a motherboard.

Intel's Arrow Lake CPUs didn't make it on our list of the best processors when they released earlier this year. As you can read in our Core Ultra 9 285K review, Intel's latest desktop offering struggled to keep pace with last-gen options, particularly in games, and showed strange behavior in apps like Premiere Pro. Now, Intel says it has fixed the issues with its Arrow Lake range, which accounted for up to a 30% loss in real-world performance compared to Intel's in-house testing.

The company identified five issues with the performance of Arrow Lake, four of which are resolved now. The latest BIOS and Windows Updates (more details on those later in this story) will restore Arrow Lake processors to their expected level of performance, according to Intel, while a new firmware will offer additional performance improvements. That firmware is expected to release in January, pushing beyond the baseline level of performance Intel expected out of Arrow Lake.

Read more