In today's scenario, web applications are an integral part of our lives - we use them for shopping, banking, social networking, and even as essential tools for our businesses. It's crucial to ensure the security of these applications, keeping in mind the sensitive nature of the information they handle. One such critical vulnerability that developers and organizations need to be vigilant of is Cross-Site Scripting (XSS).

This post discusses an Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered under the CVE-2023-30777 identifier in the WP Engine Advanced Custom Fields Pro and WP Engine Advanced Custom Fields plugins, with versions up to and including 6.1.5. We'll discuss the vulnerability, try to understand the exploit details, and demonstrate a code snippet to clarify the severity further. We aim to provide useful insights for website owners, developers, and security researchers.

As per the original references from Wordfence

- Wordfence blog post
- CVE database entry

This XSS vulnerability affects the WP Engine Advanced Custom Fields Pro and WP Engine Advanced Custom Fields (ACF) plugins, targeting versions up to and including 6.1.5. The issue stems from the improper handling of user input data, which allows an attacker to perform unauthenticated, reflected XSS attacks.

The exploit involves sending a crafted URL containing malicious JavaScript code to an unsuspecting user or embedding it on web pages. When the target user visits the link or the web page, the JavaScript code executes in their browser within the context of the vulnerable site. This execution could lead to various malicious actions, such as stealing sensitive information, defacing the website, or spreading malware.

Code Snippet

The vulnerable code can be found in the "core/controllers/input.php" file of the ACF plugin. Below is a snippet illustrating the affected code.

// ...pre-existing code...

// input_data()
function input_data( $data = '' ) {
  // allow function to be used as a filter
  $data = $data ? $data : $_POST;
  // loop over and format data
  if( $data ) {
    // ...pre-existing code...
    foreach( $data as $k => $v ) {
      $data[ $k ] = stripslashes_deep( $v );
  // return
  return $data;

// ...other code...

As shown in the code snippet, the plugin developers used the stripslashes_deep() function to sanitize the user input data. Unfortunately, this function is ineffective at preventing XSS attacks since it merely removes backward slashes (\) from the input data. Thus, an attacker can still send a malicious payload with properly formatted JavaScript code to bypass this protection.

Exploit Details

An attacker can exploit this vulnerability by crafting a malicious URL containing an XSS payload as a parameter value. For instance:

The above sample URL uses an encoded XSS payload in the search parameter to inject JavaScript code. Whenever the targeted user visits this URL, they will see a JavaScript alert with the message "XSS payload executed!", indicating a successful XSS attack.

It's important to note that this is merely a simple and harmless payload for demonstration purposes. However, an attacker can create more complex payloads capable of performing more devious actions.


If you're using the WP Engine Advanced Custom Fields Pro or WP Engine Advanced Custom Fields plugins, it's crucial to update them to the latest version (6.2. or higher) immediately. The updated versions contain security fixes addressing the highlighted XSS vulnerability, ensuring safer web applications and protecting users from potential attacks.


To sum up, this post aimed to provide insights into the Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability, CVE-2023-30777, found in the WP Engine Advanced Custom Fields Pro and WP Engine Advanced Custom Fields plugins. We discussed the vulnerability's origins, examined the problematic code, and demonstrated an example exploit to understand its potential implications. Finally, we discussed the importance of updating the vulnerable plugins to safeguard against the stated exploit.


Published on: 05/10/2023 06:15:00 UTC
Last modified on: 05/17/2023 16:42:00 UTC