Hackers use public exploit to attack vulnerable WordPress sites

Hackers are actively exploiting a vulnerability in the WordPress Advanced Custom Fields plugin. The vulnerability, known as CVE-2023-30777, is a reflected cross-site scripting (XSS) flaw classified as high-severity. It enables unauthorized attackers to steal sensitive information and escalate their privileges on affected WordPress sites. On May 2nd, 2023, website security company Patchstack discovered the flaw and disclosed it along with a PoC exploit on May 5th, just a day after the plugin vendor released a security update (version 6.1.6). Significant scanning for the vulnerability and exploitation activities began on May 6th, using the sample code provided by Patchstack. Over 1.4 million websites still utilize the vulnerable WordPress plugin without upgrading to the latest version, according to wordpress.org statistics, attackers have a substantial attack surface to target. To successfully exploit the XSS flaw, an authenticated user with plugin access must execute malicious code on their browser, granting the attackers high-privileged access to the website. However, malicious scans suggest that threat actors remain undeterred and confident in their ability to overcome this mitigation factor through social engineering. Moreover, the exploit is effective against default configurations of the impacted plugin versions, making it easier for threat actors to succeed without requiring additional effort.