QID 730813

Date Published: 2023-06-05

QID 730813: WordPress Plugin Advanced Custom Fields Cross-Site Scripting (XSS) Vulnerability

Advanced Custom Fields (ACF) is a powerful and popular WordPress plugin. With ACF, users can easily create custom fields, add metadata, and manipulate data, allowing for more complex and customizable websites.

The plugin has been found to have a vulnerability that can potentially allow Reflected Cross-Site Scripting (XSS) attacks. The vulnerability is caused by insufficient input sanitization and output escaping of the 'post_status' parameter. If successfully exploited, attackers can inject arbitrary web scripts that execute when a user performs a specific action, such as clicking on a malicious link. It is important to note that this vulnerability can be exploited without authentication, making it particularly dangerous for WordPress site owners.

Affected versions:
Advanced Custom Fields plugin versions 6.1.5 and below

QID Detection Logic :
This unauthenticated detection depends on the BlindElephant engine to detect the vulnerable version of the Advanced Custom Fields WordPress plugin.

Successful exploitation could allow an attacker to execute arbitrary JavaScript code in the context of the interface or allow the attacker to access sensitive, browser-based information.

  • CVSS V3 rated as High - 6.1 severity.
  • CVSS V2 rated as High - 6.4 severity.
    • Solution
    Customers are advised to upgrade to Advanced Custom Fields 6.1.6 or later version to remediate this vulnerability.
    Vendor References

    CVEs related to QID 730813

    CVE-2023-30777 |
    Software Advisories
    Advisory ID Software Component Link
    Advanced Custom Fields (ACF) Plugin Release Notes URL Logo wordpress.org/plugins/advanced-custom-fields/#developers
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].