Many companies do not even realize that members of their organization are using WordPress. Common example uses include marketing, sales, customer relationship management, and customer service teams—especially those in small- to midsized businesses (SMBs). Now, all such teams using a very popular WordPress plugin called Advanced Custom Fields (ACF) should quickly update to version 6.1.6.

A zero-day vulnerability with common vulnerabilities and exposures (CVE) identifier CVE-2023-30777, is for a reflected cross-site scripting (XSS) flaw through which attackers can inject arbitrary executable scripts into otherwise innocuous websites.

This plugin is available both as a free and for-sale (“pro”) version and has over 2 million+ active installations.

CVE-2023-3077 was discovered by Patchstack security researchers and reported to the maintainers on May 2, 2023. Patchstack’s team explained that, "This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path."

Generally, reflected XSS trick victims into clicking on a bogus link sent via email or another path, which causes malicious code to be sent to the vulnerable website, which in turn “reflects” the attack back to the victim user's browser—serving up the malicious code to the victim.

"[A reflected XSS attack] is typically a result of incoming requests not being sufficiently sanitized, which allows for the manipulation of a web application's functions and the activation of malicious scripts," per Imperva.

Unfortunately, CVE-2023-30777 can be activated on any default installation or configuration of ACF, though only logged-in users can do so.

Visibility into all web application solutions used across your organization is hard to maintain, which is why it is so important to develop a robust and comprehensive security program management plan. The expert consulting Chief Information Security Officers (CISOs)—also known as virtual CISOs or fractional CISOs—from Webcheck Security possess the expertise to help you build a well-architected and mature program by which you can identify the entirety of your solutions, and protect them. Contact Webcheck Security today.