Hackers are wasting no time in exploiting a recently addressed vulnerability in the WordPress Advanced Custom Fields plugin, as they swiftly took advantage of a publicly available proof-of-concept (PoC) exploit just 24 hours after its disclosure.
The vulnerability, identified as CVE-2023-30777, is a high-severity reflected cross-site scripting (XSS) flaw that enables unauthorized attackers to extract sensitive information and escalate their privileges on targeted WordPress sites.
Discovered by website security firm Patchstack on May 2nd, 2023, the vulnerability was promptly disclosed, including a PoC exploit, on May 5th, a day after the plugin vendor released a security update with version 6.1.6.
According to a report from the Akamai Security Intelligence Group (SIG), significant scanning and exploitation activities were observed starting from May 6th, 2023, using the provided sample code in Patchstack’s disclosure.
“The Akamai SIG analyzed XSS attack data and identified attacks starting within 24 hours of the exploit PoC being made public,” the report stated.
What makes this situation particularly noteworthy is that the threat actor replicated and utilized the sample code from Patchstack’s write-up.
With over 1.4 million websites still running the vulnerable version of the impacted WordPress plugin, based on wordpress.org statistics, attackers have an extensive attack surface to target.
Exploiting the XSS flaw requires the involvement of a logged-in user with plugin access, enabling the execution of malicious code in their browser, thereby granting the attackers elevated privileges on the site.
Despite this requirement, the malicious scans demonstrate that threat actors remain undeterred, relying on basic deception and social engineering to overcome this mitigation factor.
Furthermore, the exploit works on default configurations of the affected plugin versions, increasing the likelihood of success for attackers without the need for additional efforts.
WordPress site administrators using the vulnerable plugins are strongly advised to immediately apply the available patch to protect against ongoing scanning and exploitation attempts.
The recommended course of action is to update both the ‘Advanced Custom Fields’ free and pro plugins to version 5.12.6 (backported) and 6.1.6, respectively.
The information is provided solely for general informational and educational purposes and is not intended to be a substitute for professional advice. As a result, before acting on such information, we recommend that you consult with the appropriate professionals.