Skip to main content
  1. Home
  2. Computing
  3. News

A new WordPress bug may have left 2 million sites vulnerable

By

A flaw in two WordPress custom plug-ins leaves users vulnerable to cross-site scripting attacks (XSS), according to a recent report.

Patchstack researcher Rafie Muhammad recently discovered an XSS flaw in the Advanced Custom Fields and Advanced Custom Fields Pro plug-ins, which are actively installed by over 2 million users worldwide, according to Bleeping Computer.

Recommended Videos

The flaw, called CVE-2023-30777 was discovered on May 2 and was given a high-severity prominence. The plug-ins’ developer, WP Engine, quickly provided a security update, version 6.1.6, within days of learning about the vulnerability,on May 4.

Please enable Javascript to view this content

The popular custom field builders allow users to have full control of their content management system from the back end, with WordPress edit screens, custom field data, and other features.

However, XSS bugs can be seen in a front-facing fashion and work by injecting “malicious scripts on websites viewed by others, resulting in the execution of code on the visitor’s web browser,” Bleeping Computer added.

This could leave website visitors open to having their data stolen from infected WordPress sites, Patchstack noted.

Specifics about the XSS vulnerability indicate that it might be triggered by a “default installation or configuration of the Advanced Custom Fields plug-in.” However, users would have to have logged-in access to the Advanced Custom Fields plug-in to trigger it in the first place, meaning a bad actor would have to trick someone with access to trigger the flaw, the researchers added.

The CVE-2023-30777 flaw can be found in the admin_body_class function handler, in which a bad actor can inject malicious code. In particular, this bug injects DOM XSS payloads into the improperly drafted code, which is not caught by the code’s sanitize output, a security measure of sorts, which is part of the flaw.

The fix on version 6.1.6 introduced the admin_body_class hook, which blocks the XSS attack from being able to execute.

Users of Advanced Custom Fields and Advanced Custom Fields Pro should upgrade the plug-ins to version 6.1.6 or later. Many users remain susceptible to attack, with approximately 72.1% of WordPress.org plug-in users having versions running below 6.1. This makes their websites vulnerable not only to XSS attacks but also to other flaws in the wild, the publication said.

Editors’ Recommendations

Topics
Fionna Agomuoh
Fionna Agomuoh
Computing Writer
Fionna Agomuoh is a Computing Writer at Digital Trends. She covers a range of topics in the computing space, including…
Get a 32-inch 1440p monitor for only $160 with this Amazon deal
The 32-inch KTC H32T13 monitor with a colorful display.

If you've been thinking about finally upgrading your outdated monitor, the good news is that you don't have to spend a lot if you want a great display. The KTC H32T13 is a perfect example of a budget-friendly option, especially now that it's on sale from Amazon with a 20% discount that lowers its price further to $160 from $200. This bargain will only be online for a limited time though, and since most monitor deals as affordable as this one sell out quickly, you should think about hurrying with your purchase if you don't want to miss out on the $40 in savings.

Why you should buy the KTC H32T13 monitor
The KTC H32T13 isn't made by one of the brands you'll see in our list of the best monitors, but it's a nice purchase, as you can see from its high rating of 4.4 out of 5 stars from more than 500 customers. It's a pretty affordable display considering it's 32 inches, which is the upper end of our computer monitor buying guide's recommended size, and with Wide QHD resolution of 2560 x 1440, you'll enjoy stunning visuals with sharp details and bright colors.

Read more
Snap up this LG 27-inch gaming monitor for $126 at Walmart
The LG 27-inch gaming monitor on a white background.

If you’ve just grabbed one of the affordable gaming PC deals going on, don't forget to grab a monitor deal too. Right now at Walmart, you can buy an LG 27-inch UltraGear full HD gaming monitor for $126. That’s a fantastic price for such a large monitor -- even this screen normally costs $159. If you’ve just bought a mid-range or budget gaming PC and you want a good looking full HD screen to pair with it, you’ll be delighted with this option. Let’s take a look at what it has to offer for this great low price.

Why you should buy the LG 27-inch UltraGear full HD gaming monitor
The best gaming monitors are a little different from the regular best monitors, focusing more on high refresh rates and low response times. The LG 27-inch UltraGear full HD gaming monitor has all of that. It has a high refresh rate of 180Hz so it can handle fast-moving action from all your favorite games, from the latest Call of Duty to some fun sessions on Fortnite. There’s no risk of motion blur here. The LG 27-inch UltraGear full HD gaming monitor also has support for AMD FreeSync, which further helps matters.

Read more
AMD says that FSR 4 might not be an RDNA 4 exclusive after all
AMD announcing FSR 4 during CES 2025.

AMD will soon launch new graphics cards, although they were pretty much absent from its CES 2025 keynote. Fortunately, a new interview with Frank Azor, AMD's chief architect of gaming solutions and gaming marketing, gives us a little bit more information. One interesting tidbit from the interview is that FSR 4, currently an RDNA 4 exclusive, might still one day make it to older AMD GPUs.

Azor spoke to Michael Quesada in an interview that was later shared by El Chapuzas Informatico and VideoCardz. They spoke about FSR 4, but also the general price point and the predicted performance of the RX 9070 XT. Throughout the interview, it's made clear that AMD is angling for a value-oriented product this time around.

Read more