CVE-2023-30777
📋 TL;DR
Unauthenticated reflected cross-site scripting (XSS) vulnerability in WP Engine Advanced Custom Fields Pro and Advanced Custom Fields plugins allows attackers to inject malicious scripts via crafted URLs. This affects WordPress sites using these plugins in versions up to 6.1.5, potentially impacting approximately 2 million websites.
💻 Affected Systems
- WP Engine Advanced Custom Fields Pro
- WP Engine Advanced Custom Fields
📦 What is this software?
Advanced Custom Fields by Advancedcustomfields
Advanced Custom Fields by Advancedcustomfields
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites, potentially leading to complete site compromise.
Likely Case
Attackers craft malicious links containing JavaScript payloads that execute when victims click them, potentially stealing session cookies or performing limited unauthorized actions.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized before execution, preventing successful exploitation.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly exploited via crafted URLs. Public details available in Patchstack advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.1.6 and later
Vendor Advisory: https://www.advancedcustomfields.com/blog/acf-6-1-6-security-release/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Advanced Custom Fields or Advanced Custom Fields Pro. 4. Click 'Update Now' if update available. 5. Alternatively, download latest version from WordPress repository or ACF website and manually update.
🔧 Temporary Workarounds
Input Validation Filter
allAdd custom input validation to sanitize user input before processing
Add custom WordPress filter: add_filter('acf/validate_value', 'custom_sanitize_function', 10, 4);
WAF Rule
allImplement web application firewall rules to block XSS payloads in URLs
ModSecurity rule: SecRule ARGS "@rx <script>" "id:1001,phase:2,deny,status:403,msg:'XSS Attempt'"
Cloudflare WAF: Enable XSS protection rules
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution sources
- Use web application firewall to filter malicious input patterns
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is 6.1.5 or earlier, you are vulnerable.Check Version:
wp plugin list --name='advanced-custom-fields' --field=version (WP-CLI) or check WordPress admin plugins pageVerify Fix Applied:
After updating, verify plugin version shows 6.1.6 or later. Test with safe XSS payload in URL parameters to confirm sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual long URL parameters containing script tags or JavaScript code
- Multiple 403 errors from WAF blocking XSS attempts
- Referrer URLs containing suspicious script payloads
Network Indicators:
- HTTP requests with script tags in query parameters
- URLs containing encoded JavaScript payloads
- Unusual spike in requests to ACF-related endpoints
SIEM Query:
source="web_logs" AND (uri="*<script>*" OR uri="*javascript:*" OR uri="*onload=*" OR uri="*onerror=*")🔗 References
- https://patchstack.com/articles/reflected-xss-in-advanced-custom-fields-plugins-affecting-2-million-sites?_s_id=cve
- https://patchstack.com/database/vulnerability/advanced-custom-fields-pro/wordpress-advanced-custom-fields-pro-plugin-6-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/advanced-custom-fields/wordpress-advanced-custom-fields-plugin-6-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
- https://patchstack.com/articles/reflected-xss-in-advanced-custom-fields-plugins-affecting-2-million-sites?_s_id=cve
- https://patchstack.com/database/vulnerability/advanced-custom-fields-pro/wordpress-advanced-custom-fields-pro-plugin-6-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/advanced-custom-fields/wordpress-advanced-custom-fields-plugin-6-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
