WordPress custom field plugin bug (CVE-2023-40068) exposes 1M sites to XSS attacks
A cross-site scripting (XSS) vulnerability has been found in the Advanced Custom Fields (ACF) and Advanced Custom Fields Pro WordPress plugins. The vulnerability, tracked as CVE-2023-40068, affects versions 6.1.0 to 6.1.7 of the plugins.
XSS vulnerabilities allow attackers to inject malicious scripts into websites that are viewed by others. These scripts can then be executed in the victim’s web browser, potentially allowing the attacker to steal sensitive information, hijack sessions, or perform other malicious actions.
In the case of the ACF vulnerability, an attacker could exploit it by creating a malicious post type or taxonomy label. If a victim were to then view the page that contains the malicious label, the attacker’s script would be executed in the victim’s web browser.
Delving deeper into the technical details, CVE-2023-40068 is a stored XSS vulnerability specifically affecting ACF’s admin screens tied with post type and taxonomy labels. But there’s a catch. To exploit this, an attacker requires administrator access to ACF’s admin screens, where they can then save a malevolent Post Type or Taxonomy.
With a staggering 2 million active installs globally, the implications of such vulnerabilities in the ACF plugins are undoubtedly severe.
The vulnerability is considered to be high severity and affects a large number of websites. All users of ACF and ACF Pro are advised to upgrade to version 6.1.8 or later as soon as possible.
If you are using ACF or ACF Pro, you can protect yourself from this vulnerability by following these steps:
- Upgrade to version 6.1.8 or later as soon as possible.
- If you cannot upgrade immediately, you can disable the ACF plugin until you can upgrade.
- Use a web application firewall (WAF) to block malicious traffic.
- Keep your WordPress installation up to date with the latest security patches.
- Use strong passwords and don’t share them with anyone.
- Be careful about what websites you visit and what files you open.
- Use a security awareness training program to educate your employees about cyber threats.