A proof-of-concept (PoC) attack for a recently patched vulnerability in the WordPress Advanced Custom Fields plugin was made public recently, and hackers are already actively exploiting it. Additionally, the affected WordPress sites are vulnerable to the CVE-2023-30777 vulnerability; a high-severity reflected cross-site scripting (XSS) bug that enables unauthenticated attackers to steal sensitive information and escalate their privileges.
On May 2, 2023, website security firm Patchstack found the bug. A proof-of-concept exploit and disclosure of the issue were made public on May 5th, one day after the plugin vendor had issued a security update with version 6.1.6. Starting on May 6th, 2023, the Akamai Security Intelligence Group (SIG) witnessed substantial scanning and exploitation activity employing the sample code supplied in Patchstack’s write-up, as they revealed yesterday.
“The Akamai SIG analyzed XSS attack data and identified attacks starting within 24 hours of the exploit PoC being made public,” reads the report. “What is particularly interesting about this is the query itself: The threat actor copied and used the Patchstack sample code from the write-up.”
According to statistics from wordpress.org, over 1.4 million websites that use the vulnerable WordPress plugin are still running an older version, giving the attackers a huge attack surface to work with. In order to exploit the XSS weakness, a user must be signed in and have permission to access the plugin to run malicious code on their browser and grant the attackers high-privileged access to the website.
The malicious scans show that threat actors who believe they can get around it by using simple deception and social engineering are not discouraged by this mitigating factor. Additionally, the exploit operates using the default settings of the affected plugin versions, increasing the likelihood of success for the threat actors without requiring additional work.
In order to safeguard against continuous scanning and exploitation activities, WordPress site administrators using vulnerable plugins are encouraged to deploy the available fix quickly. In addition, the ‘Advanced Custom Fields’ free and premium plugins should be updated to versions 5.12.6 (backported) and 6.1.6, respectively.