A proof-of-concept (PoC) vulnerability in the WordPress Advanced Custom Fields plugin was made public around 24 hours ago, and hackers are already actively exploiting it.
The afflicted WordPress sites are vulnerable to the CVE-2023-30777 vulnerability, a high-severity reflected cross-site scripting (XSS) bug that enables unauthenticated attackers to steal sensitive information and escalate their privileges.
On May 2, 2023, website security firm Patchstack found the bug. A proof-of-concept exploit and disclosure of the issue were made public on May 5th, one day after the plugin vendor had issued a security update with version 6.1.6.
Starting on May 6th, 2023, the Akamai Security Intelligence Group (SIG) witnessed substantial scanning and exploitation activity utilizing the sample code supplied in Patchstack’s write-up, as they revealed yesterday.
According to statistics from wordpress.org, over 1.4 million websites that use the vulnerable WordPress plugin are still running an older version, giving the attackers a huge attack surface to work with.
In order to exploit the XSS weakness, a user must be signed in and have permission to the plugin in order to run malicious code on their browser and grant the attackers high-privileged access to the website.