Security News > 2023 > May > New Vulnerability in Popular WordPress Plugin Exposes Over 2 Million Sites to Cyberattacks

Users of Advanced Custom Fields plugin for WordPress are being urged to update version 6.1.6 following the discovery of a security flaw.

"This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path," Patchstack researcher Rafie Muhammad said.

Reflected XSS attacks usually occur when victims are tricked into clicking on a bogus link sent via email or another route, causing the malicious code to be sent to the vulnerable website, which reflects the attack back to the user's browser.

This element of social engineering means that reflected XSS does not have the same reach and scale as stored XSS attacks, prompting threat actors to distribute the malicious link to as many victims as possible.

The development comes as Craft CMS patched two medium-severity XSS flaws that could be exploited by a threat actor to serve malicious payloads.

"An attacker can not only attack the management ports of cPanel but also the applications that are running on port 80 and 443," Assetnote's Shubham Shah said, adding it could enable an adversary to hijack a valid user's cPanel session.

News URL

https://thehackernews.com/2023/05/new-vulnerability-in-popular-wordpress.html