WordPress plugin hole puts '2 million websites' at risk

Trending 4 months ago

WordPress users pinch nan Advanced Custom Fields plugin connected their website should upgrade aft nan find of a vulnerability successful nan codification that could unfastened up sites and their visitors to cross-site scripting (XSS) attacks.

A warning from Patchstack astir nan flaw claimed location are much than 2 cardinal progressive installs of nan Advanced Custom Fields and Advanced Custom Fields Pro versions of nan plugins, which are utilized to springiness tract operators greater power of their contented and data.

Patchstack interrogator Rafie Muhammad uncovered nan vulnerability connected May 2, and reported it to Advanced Custom Fields' vendor Delicious Brains, which took complete nan package last year from developer Elliot Condon.

On May 5, a period aft a patched type of nan plugins was released by Delicious Brains, Patchstack published specifications of nan flaw. It's recommended users update their plugin to astatine slightest type 6.1.6.

The flaw, tracked arsenic CVE-2023-30777 and pinch a CVSS people of 6.1 retired of 10 successful severity, leaves sites susceptible to reflected XSS attacks, which impact miscreants injecting malicious codification into webpages. The codification is past "reflected" backmost and executed wrong nan browser of a visitor.

Essentially, it allows personification to tally JavaScript wrong different person's position of a page, allowing nan attacker to do things for illustration bargain accusation from nan page, execute actions arsenic nan user, and truthful on. That's a large problem if nan visitant is simply a logged-in administrative user, arsenic their relationship could beryllium hijacked to return complete nan website.

"This vulnerability allows immoderate unauthenticated personification [to steal] delicate accusation to, successful this case, privilege escalation connected nan WordPress tract by tricking nan privileged personification to sojourn nan crafted URL path," Patchstack wrote successful its report.

The outfit added that "this vulnerability could beryllium triggered connected a default installation aliases configuration of Advanced Custom Fields plugin. The XSS besides could only beryllium triggered from logged-in users that person entree to nan Advanced Custom Fields plugin."

  • WordPress-powered sites backdoored aft FishPig suffers proviso concatenation attack
  • Thousands of websites tally buggy WordPress plugin that allows complete takeover
  • About half of celebrated websites tested recovered susceptible to relationship pre-hijacking
  • Infosec not your occupation but your responsibility? How to beryllium smarter than nan mean bear

The flaw is comparatively straightforward. It stems from nan "admin_body_class" usability handler, which Patchstack said was configured to beryllium an further handler for WordPress' hook, besides named admin_body_class. The handler controls and filters nan creation and layout for nan main assemblage tag successful nan admin area.

The usability handler doesn't decently sanitize that worth of nan hook, opening it up to an attacker being capable to adhd successful malicious code, including redirects, advertisements, and different HTML payloads into a website, which is past executed erstwhile a personification visits nan site.

According to Patchstack, nan XSS vulnerability was 1 of 4 recovered successful nan celebrated plugin complete nan past mates of years.

WordPress, which celebrates its 20th day this month, remains nan astir celebrated contented guidance strategy successful nan world, utilized by 43.2 percent of each websites, according to W3Techs. Because of nan hundreds of millions of sites that usage it, WordPress besides has go a popular target of miscreants that want to utilization immoderate flaws successful nan strategy - it's wherever nan money is.

According to a Patchstack survey, location was a 150 percent summation successful nan number of WordPress vulnerabilities reported betwixt 2020 and 2021, and 29 percent of plugins pinch captious vulnerabilities astatine nan clip remained unpatched.

In addition, WordPress' ease-of-use lets anyone from tech hobbyists to professionals to quickly group up a website, adding to nan information risks pinch nan platform, according to Melissa Bischoping, head of endpoint information investigation astatine cybersecurity patient Tanium.

"Because galore of nan plugins disposable for WordPress sites are developed by nan community, they whitethorn not beryllium regularly audited and maintained," Bischoping told The Register. "The plugins themselves whitethorn incorporate information vulnerabilities and it is besides easy to misconfigure permissions aliases plugin settings, exposing further opportunities for exploit."

She added that "for immoderate of nan astir celebrated plugins, those tin beryllium coming successful virtually millions of websites, which is an charismatic ample scope of opportunity for a threat actor."

Casey Ellis, laminitis and CTO astatine information crowdsourcer Bugcrowd, told The Register that anyone whose WordPress tract is hacked should migrate it to a SaaS host, wherever nan information attraction is outsourced to a 3rd statement and a web exertion firewall tin beryllium put up successful beforehand of nan site.

"The immense mostly of bloggers and mini business owners that tally WordPress sites … are not cybersecurity experts," Ellis said. "WordPress surely needs updating connected a accordant basis, particularly if you person a website that has a number of plugins and third-party code." ®