Security News > 2023 > May > Hackers target Wordpress plugin flaw after PoC exploit released
Hackers are actively exploiting a recently fixed vulnerability in the WordPress Advanced Custom Fields plugin roughly 24 hours after a proof-of-concept exploit was made public.
The vulnerability in question is CVE-2023-30777, a high-severity reflected cross-site scripting flaw that allows unauthenticated attackers to steal sensitive information and escalate their privileges on impacted WordPress sites.
The flaw was discovered by website security company Patchstack on May 2nd, 2023, and was disclosed along with a proof-of-concept exploit on May 5th, a day after the plugin vendor had released a security update with version 6.1.6.
"The Akamai SIG analyzed XSS attack data and identified attacks starting within 24 hours of the exploit PoC being made public," reads the report.
The XSS flaw requires the involvement of a logged-in user who has access to the plugin to run malicious code on their browser that will give the attackers high-privileged access to the site.
The exploit works on default configurations of the impacted plugin versions, which increases the chances of success for the threat actors without requiring extra effort.
News URL
Related news
- 390,000+ WordPress Credentials Stolen via Malicious GitHub Repository Hosting PoC Exploits (source)
- LiteSpeed Cache WordPress plugin bug lets hackers get admin access (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- High-Severity Flaw in PostgreSQL Allows Hackers to Exploit Environment Variables (source)
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign (source)
- Hackers exploit critical bug in Array Networks SSL VPN products (source)
- APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign (source)
- Hackers exploit ProjectSend flaw to backdoor exposed servers (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-05-10 | CVE-2023-30777 | Unspecified vulnerability in Advancedcustomfields Advanced Custom Fields Unauth. | 6.1 |