WordPress plugin hole puts '2 million websites' at risk

WordPress users with the Advanced Custom Fields plugin on their website should upgrade after the discovery of a vulnerability in the code that could open up sites and their visitors to cross-site scripting (XSS) attacks.

A warning from Patchstack about the flaw claimed there are more than two million active installs of the Advanced Custom Fields and Advanced Custom Fields Pro versions of the plugins, which are used to give site operators greater control of their content and data.

Patchstack researcher Rafie Muhammad uncovered the vulnerability on May 2, and reported it to Advanced Custom Fields' vendor Delicious Brains, which took over the software last year from developer Elliot Condon.

On May 5, a month after a patched version of the plugins was released by Delicious Brains, Patchstack published details of the flaw. It's recommended users update their plugin to at least version 6.1.6.

The flaw, tracked as CVE-2023-30777 and with a CVSS score of 6.1 out of 10 in severity, leaves sites vulnerable to reflected XSS attacks, which involve miscreants injecting malicious code into webpages. The code is then "reflected" back and executed within the browser of a visitor.

Essentially, it allows someone to run JavaScript within another person's view of a page, allowing the attacker to do things like steal information from the page, perform actions as the user, and so on. That's a big problem if the visitor is a logged-in administrative user, as their account could be hijacked to take over the website.

"This vulnerability allows any unauthenticated user [to steal] sensitive information to, in this case, privilege escalation on the WordPress site by tricking the privileged user to visit the crafted URL path," Patchstack wrote in its report.

The outfit added that "this vulnerability could be triggered on a default installation or configuration of Advanced Custom Fields plugin. The XSS also could only be triggered from logged-in users that have access to the Advanced Custom Fields plugin."

• WordPress-powered sites backdoored after FishPig suffers supply chain attack
• Thousands of websites run buggy WordPress plugin that allows complete takeover
• About half of popular websites tested found vulnerable to account pre-hijacking
• Infosec not your job but your responsibility? How to be smarter than the average bear

The flaw is relatively straightforward. It stems from the "admin_body_class" function handler, which Patchstack said was configured to be an additional handler for WordPress' hook, also named admin_body_class. The handler controls and filters the design and layout for the main body tag in the admin area.

The function handler doesn't properly sanitize that value of the hook, opening it up to an attacker being able to add in malicious code, including redirects, advertisements, and other HTML payloads into a website, which is then executed when a person visits the site.

According to Patchstack, the XSS vulnerability was one of four found in the popular plugin over the past couple of years.

WordPress, which celebrates its 20th birthday this month, remains the most popular content management system in the world, used by 43.2 percent of all websites, according to W3Techs. Because of the hundreds of millions of sites that use it, WordPress also has become a popular target of miscreants that want to exploit any flaws in the system - it's where the money is.

According to a Patchstack survey, there was a 150 percent increase in the number of WordPress vulnerabilities reported between 2020 and 2021, and 29 percent of plugins with critical vulnerabilities at the time remained unpatched.

In addition, WordPress' ease-of-use lets anyone from tech hobbyists to professionals to quickly set up a website, adding to the security risks with the platform, according to Melissa Bischoping, director of endpoint security research at cybersecurity firm Tanium.

"Because many of the plugins available for WordPress sites are developed by the community, they may not be regularly audited and maintained," Bischoping told The Register. "The plugins themselves may contain security vulnerabilities and it is also easy to misconfigure permissions or plugin settings, exposing additional opportunities for exploit."

She added that "for some of the most popular plugins, those can be present in literally millions of websites, which is an attractive large scope of opportunity for a threat actor."

Casey Ellis, founder and CTO at security crowdsourcer Bugcrowd, told The Register that anyone whose WordPress site is hacked should migrate it to a SaaS host, where the security maintenance is outsourced to a third party and a web application firewall can be put up in front of the site.

"The vast majority of bloggers and small business owners that run WordPress sites … are not cybersecurity experts," Ellis said. "WordPress certainly needs updating on a consistent basis, especially if you have a website that has a number of plugins and third-party code." ®