Millions of websites vulnerable to hackers due to critical vulnerability in WordPress plugin
Following the discovery of a security vulnerability, users of the Advanced Custom Fields plugin for WordPress are being urged to update to version 6.1.6. which could be exploited to inject arbitrary executable scripts into otherwise innocent web pages.
The most popular custom fields plugins in WordPress, Advanced Custom Fields and Advanced Custom Fields Pro (versions 6.1.5 and below, free and pro version), have been revealed to have a security vulnerability, dubbed CVE-2023-30777.
By tricking a privileged user into visiting the crafted URL path, this vulnerability allows any unauthenticated user to steal sensitive information, in this case, privilege escalation on the WordPress site. It’s worth noting that CVE-2023-30777 can only be enabled by logged-in users with access to the plugin but can be enabled in a default installation or configuration of Advanced Custom Fields.
The issue was discovered and reported to the maintainers on 2 May 2023. Advanced Custom Fields plugin users are urged to update to version 6.1.6.
About author
DW Team
The GIP Digital Watch Observatory team, consisting of over 30 digital policy experts from around the world, excels in the fields of research and analysis on digital policy issues. The team is backed by the creative prowess of Creative Lab Diplo and the technical expertise of the Diplo tech team.