This blog post is about the Advanced Custom Fields free and pro plugin vulnerability. If you’re an Advanced Custom Fields free and pro user, please update the plugin to at least version 6.1.6. The security fix also backported on version 5.12.6.
Patchstack Developer and Business Plan users are protected from the vulnerability.
You can also sign up for the Patchstack Community plan to be notified about vulnerabilities as soon as they become disclosed.
For plugin developers, we have security audit services and Threat Intelligence Feed API for hosting companies.
Update regarding exploitation attempts
As we are writing this update on 16 May 2023, we notice claims circulating in the media that the sample PoC URL on this article is being used to mass-exploit websites. We found that to be unlikely since the XSS could only be triggered by logged-in users (mainly administrators) that have access to the Advanced Custom Fields feature. We assume that the attacker tries to directly hit the sample PoC URL and it doesn’t indicates that the attempt is a concrete exploitation. This case mostly applies across vulnerabilities that require user interaction such as CSRF and Reflected XSS. Until this update is published, our monitoring system didn’t catch any concrete exploitation attempts on our customers.
About the Advanced Custom Fields WordPress plugin
The plugin Advanced Custom Fields and Advanced Custom Fields Pro (versions 6.1.5 and below, free and pro version), has over 2 million active installations. It is known as the most popular custom fields plugins in WordPress.
This plugin is a WordPress plugin that allows us to add extra content fields to our WordPress edit screens. These extra content fields are more commonly referred to as Custom Fields and can allow us to build websites faster with more available fields.
The security vulnerability in Advanced Custom Fields
This plugin suffers from reflected XSS vulnerability.
This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking privileged users to visit the crafted URL path.
The described vulnerability was fixed in version 6.1.6, also fixed in version 5.12.6, and assigned CVE-2023-30777.
Find out more from the Patchstack database and here.
The underlying vulnerability is located on admin_body_class
function handler:
public function admin_body_class( $classes ) {
$classes .=" acf-admin-page acf-internal-post-type {$this->admin_body_class}";
if ( $this->view ) {
$classes .=" view-{$this->view}";
}
return $classes;
}
The admin_body_class
configured to be an extra handler of WordPress own hook that is also named admin_body_class
. This hook controls and filters the CSS classes for the main body tag in the admin area.
// Add hooks.
add_action( 'admin_enqueue_scripts', array( $this, 'admin_enqueue_scripts' ) );
add_action( 'admin_body_class', array( $this, 'admin_body_class' ) );
If we look deeper at the implementation of the
on WordPress core, we could see that the outputted value of the hook is not properly sanitized and directly constructed on the HTML page :admin_body_class
$admin_body_classes=apply_filters( 'admin_body_class', '' );
$admin_body_classes=ltrim( $admin_body_classes . ' ' . $admin_body_class );
?>
Source: patchstack.com