A vulnerability in the WordPress plugin Advanced Custom Fields and Advanced Custom Fields Pro is being actively exploited by attackers after proof of concept (PoC) code for the exploit was released. The Advanced Customs Fields plugin has been installed on over 2M WordPress sites worldwide however only 31.5% of users have installed update version 6.1 or later meaning the majority are still vulnerable to this form of attack. This flaw is present in versions 6.1.5 and earlier, and is patched in the latest release, version 6.1.6. Vulnerability details have been published for this flaw on Patchstack, the WordPress vulnerability database, however this has not yet been updated to confirm exploits of this flaw, which began being detected within 24 hours of the PoC code being released. The detected exploits in the wild were found to have an exact copy of the Patchstack sample code used in the attacks. 

The vulnerability tracked as CVE-2023-30777 is a high severity flaw with a CVSS base score of 7.1. This is a cross site scripting (XSS) flaw within the admin_body_class function handler in the main admin area of the site. The failure of this handler to properly sanitise output values allows attackers to inject malicious scripts including advertisements, redirects, and other HTML payloads into the vulnerable WordPress sites. It can be exploited by unauthenticated attackers who can then escalate their privileges and steal sensitive information from the compromised sites.  

Users of the Advanced Custom Fields and Advanced Custom Fields Pro plugins should update to version 6.1.6 as soon as possible to apply the security patch that fixes this flaw. An esc_attr function has been implemented in this most recent release version to mitigate the sanitisation of malicious HTML issue. As this vulnerability is actively exploited an PoC code is available administrators should treat this update as a high priority fix.