Get in Touch
PoC released for WordPress plugin vulnerability
Target Industry
Indiscriminate, opportunistic targeting.
Overview
A Proof-of-Concept (PoC) code has been released in relation to a WordPress (WP) Advanced Custom Fields plugin vulnerability. Tracked as CVE-2023-30777 (CVSSv3 Score 7.1; Severity Level – High), a flaw pertains to reflected cross-site scripting (XSS).
Patchstack released the PoC on 5th May 2023. The next day, active exploitation of the vulnerability was detected via the utilisation of the PoC code.
Impact
Successful exploitation of CVE-2023-30777 allows threat actors to harvest data and engage in privilege escalation on affected WordPress sites.
Affected Products
WP Engine Advanced Custom Fields Pro and WP Engine Advanced Custom Fields plugins version 6.1.5.
Containment, Mitigations & Remediations
WordPress site administrators using the affected plugins are strongly recommended to apply the ‘Advanced Custom Fields’ free and pro plugins version 5.12.6 update as soon as possible, to prevent exploitation.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available currently.
Threat Landscape
Recent reporting has indicated that over 1 million websites using the impacted WordPress plugin
to the latest version, thus providing threat actors with a relatively large attack surface.
WordPress has a significant portion of the website market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to spend their time on, vulnerable WordPress websites can emerge as prime targets. Due to the fact that WordPress websites are associated with widespread usage across the online domain, threat actors will continue to exploit vulnerabilities contained within vulnerable websites in an attempt to extract the sensitive information contained therein.
Threat Group
No attribution to specific threat actors or groups has been identified at the time of writing.
Mitre Methodologies
Common Weakness Enumeration(CWE):
CWE-79 – Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)