CVE-2023-30777: XSS Flaw Found in WordPress Plugin With More Than 2 million Installations

The Advanced Custom Fields (ACF) and Advanced Custom Fields Pro plugins, which boast over 2 million active installations, are among the most widely utilized custom fields plugins in the WordPress ecosystem. They enable users to add extra content fields to their WordPress edit screens, simplifying website construction with a broader range of available fields. Recently, a Cross-Site Scripting (XSS) vulnerability was discovered in these plugins, prompting a crucial update to version 6.1.6.

Overview of the Vulnerability:

Rafie Muhammad, a researcher at Patchstack, identified an XSS vulnerability in the WordPress Advanced Custom Fields Pro Plugin. This security flaw could permit malicious actors to inject harmful scripts, such as redirects, advertisements, and other HTML payloads, into a website, which would then be executed when guests visit the site. The vulnerability has been addressed in version 6.1.6 and assigned CVE-2023-30777, with a CVSS score of 7.1.

Root Cause Analysis:

The vulnerability stems from the admin_body_class function handler within the plugin. The admin_body_class is configured as an additional handler of WordPress’ own hook, also named admin_body_class. This hook manages and filters the CSS classes for the main body tag in the admin area. Upon closer inspection, it becomes evident that the hook’s output value is not properly sanitized and is directly constructed on the HTML page. This oversight creates the potential for XSS vulnerabilities if the admin_body_class hook function handler fails to adequately sanitize the returned classes string.

Exploitation Example:

Malicious actors could exploit the CVE-2023-30777 vulnerability by manipulating the $this->view variable from the current_screen function. The sanitize_text_field function’s sanitization is insufficient to prevent XSS in this scenario, as a DOM XSS payload can still be utilized. The XSS could be executed using a payload similar to the following example:

http://<WORDPRESS_SITE>/wp-admin/edit.php?post_type=acf-field-group&post_status=xxxxxxx” onload=alert(document.domain) xxx=”

The reflected HTML structure displayed on the front-end might resemble:

<body class=”wp-admin wp-core-ui no-js acf-admin-5-3 acf-browser-chrome acf-admin-page acf-internal-post-type acf-admin-field-groups view-xxxxxxx\” onload=alert(document.domain) xxx=\” edit-php auto-fold admin-bar post-type-acf-field-group branch-6-2 version-6-2 admin-color-fresh locale-en-us no-customize-support no-svg”>

This vulnerability could be triggered on a default installation or configuration of the Advanced Custom Fields plugin and only by logged-in users with access to the plugin.

Resolution:

The issue arises primarily due to the code directly constructing a variable on the HTML without proper sanitization. Implementing the esc_attr function is sufficient to patch the issue. Users of the Advanced Custom Fields and Advanced Custom Fields Pro plugins (versions 6.1.5 and below) are strongly encouraged to update to version 6.1.6 to safeguard their websites from this XSS vulnerability.