In a concerning turn of events, hackers have wasted no time in exploiting a recently fixed vulnerability in the popular WordPress Advanced Custom Fields plugin. Merely 24 hours after a proof-of-concept (PoC) exploit was made public, reports have emerged about active attacks targeting WordPress sites.
The vulnerability
The vulnerability in question, known as CVE-2023-30777, is a high-severity reflected cross-site scripting (XSS) flaw. This security loophole enables unauthenticated attackers to gain unauthorised access to sensitive information and elevate their privileges on compromised WordPress sites.
Patchstack, a website security company, first discovered the flaw on May 2nd, 2023. They promptly disclosed it, along with a PoC exploit, on May 5th, just one day after the plugin vendor had released a security update (version 6.1.6).
The Akamai Security Intelligence Group (SIG) recently reported a surge in scanning and exploitation activities starting on May 6th, 2023. Attackers were observed employing the sample code provided in Patchstack's disclosure to carry out their malicious activities.
Interestingly, the threat actors directly copied and utilised the Patchstack sample code from the public write-up, as identified by the Akamai SIG. This level of imitation underscores the immediacy with which hackers seized upon the opportunity presented by the public disclosure.
Disturbingly, despite the availability of a security patch, over 1.4 million websites using the affected WordPress plugin have failed to upgrade to the latest version, as per wordpress.org statistics. This large number of unpatched sites provides hackers with a substantial attack surface to target.
Exploiting the XSS flaw necessitates the involvement of a logged-in user who possesses access to the plugin. By executing malicious code within the user's browser, the attackers can gain elevated privileges on the compromised site. However, these findings reveal that threat actors are not deterred by this requirement and are confident in their ability to circumvent it through basic trickery and social engineering.
Compounding the issue is the fact that the exploit works even on default configurations of the impacted plugin versions. This significantly increases the chances of success for the attackers, as they can execute their attacks without requiring additional effort.
Immediate action required
In light of these developments, it is crucial for WordPress site administrators utilising the vulnerable plugins to take immediate action and apply the available patch. Upgrading both the free and pro versions of the 'Advanced Custom Fields' plugin to versions 5.12.6 (backported) and 6.1.6, respectively, is strongly recommended.
Failure to address this vulnerability promptly leaves websites susceptible to ongoing scanning and exploitation attempts by malicious actors. Therefore, website administrators must prioritise security and take the necessary steps to safeguard their WordPress installations from this active threat.
In conclusion, the rapid exploitation of the WordPress Advanced Custom Fields plugin vulnerability serves as a stark reminder of the ever-present risks associated with software vulnerabilities. It highlights the critical importance of promptly applying security updates and patches to ensure the protection of online assets.
Conclusion
This exploitation is a reminder of the importance of good website maintenance. It is essential for website managers and administrators to regularly check their website for vulnerabilities, particularly if they have Web Applications attached to their website or they collect personal data. Form submission data can be stored in the backend of WordPress websites and if not regularly cleansed, could end up with a costly data breach. It is important for companies to undertake regular penetration testing, particularly Web Application Penetration Testing.
Find out about our Web Application Penetration Testing services here.
