Security News > 2023 > May > Hackers target Wordpress plugin flaw after PoC exploit released

Hackers are actively exploiting a recently fixed vulnerability in the WordPress Advanced Custom Fields plugin roughly 24 hours after a proof-of-concept exploit was made public.

The vulnerability in question is CVE-2023-30777, a high-severity reflected cross-site scripting flaw that allows unauthenticated attackers to steal sensitive information and escalate their privileges on impacted WordPress sites.

The flaw was discovered by website security company Patchstack on May 2nd, 2023, and was disclosed along with a proof-of-concept exploit on May 5th, a day after the plugin vendor had released a security update with version 6.1.6.

"The Akamai SIG analyzed XSS attack data and identified attacks starting within 24 hours of the exploit PoC being made public," reads the report.

The XSS flaw requires the involvement of a logged-in user who has access to the plugin to run malicious code on their browser that will give the attackers high-privileged access to the site.

The exploit works on default configurations of the impacted plugin versions, which increases the chances of success for the threat actors without requiring extra effort.

News URL

https://www.bleepingcomputer.com/news/security/hackers-target-wordpress-plugin-flaw-after-poc-exploit-released/