Home / Threat Intelligence bulletins / PoC released for WordPress plugin vulnerability

Target Industry 

Indiscriminate, opportunistic targeting. 


A Proof-of-Concept (PoC) code has been released in relation to a WordPress (WP) Advanced Custom Fields plugin vulnerability. Tracked as CVE-2023-30777 (CVSSv3 Score 7.1; Severity Level – High), a flaw pertains to reflected cross-site scripting (XSS). 

Patchstack released the PoC on 5th May 2023. The next day, active exploitation of the vulnerability was detected via the utilisation of the PoC code. 


Successful exploitation of CVE-2023-30777 allows threat actors to harvest data and engage in privilege escalation on affected WordPress sites. 

Affected Products 

WP Engine Advanced Custom Fields Pro and WP Engine Advanced Custom Fields plugins version 6.1.5. 

Containment, Mitigations & Remediations 

WordPress site administrators using the affected plugins are strongly recommended to apply the ‘Advanced Custom Fields’ free and pro plugins version 5.12.6 update as soon as possible, to prevent exploitation. 

Indicators of Compromise 

No specific Indicators of Compromise (IoCs) are available currently. 

Threat Landscape 

Recent reporting has indicated that over 1 million websites using the impacted WordPress plugin 

to the latest version, thus providing threat actors with a relatively large attack surface. 

WordPress has a significant portion of the website market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to spend their time on, vulnerable WordPress websites can emerge as prime targets. Due to the fact that WordPress websites are associated with widespread usage across the online domain, threat actors will continue to exploit vulnerabilities contained within vulnerable websites in an attempt to extract the sensitive information contained therein. 

Threat Group 

No attribution to specific threat actors or groups has been identified at the time of writing. 

Mitre Methodologies 

Common Weakness Enumeration(CWE): 

CWE-79 – Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 

Further Information 

Patchstack Advisory 

Intelligence Terminology Yardstick