Millions of websites vulnerable to hackers due to critical vulnerability in WordPress plugin
Following the discovery of a security vulnerability, users of the Advanced Custom Fields plugin for WordPress are being urged to update to version 6.1.6. which could be exploited to inject arbitrary executable scripts into otherwise innocent web pages.
The most popular custom fields plugins in WordPress, Advanced Custom Fields and Advanced Custom Fields Pro (versions 6.1.5 and below, free and pro version), have been revealed to have a security vulnerability, dubbed CVE-2023-30777.
By tricking a privileged user into visiting the crafted URL path, this vulnerability allows any unauthenticated user to steal sensitive information, in this case, privilege escalation on the WordPress site. It’s worth noting that CVE-2023-30777 can only be enabled by logged-in users with access to the plugin but can be enabled in a default installation or configuration of Advanced Custom Fields.
The issue was discovered and reported to the maintainers on 2 May 2023. Advanced Custom Fields plugin users are urged to update to version 6.1.6.