ACF Plugin’s Reflected XSS Vulnerability Attracts Exploit Attempts Within 24 Hours of Public Announcement


On May 5, Patchstack published a security advisory about a high severity reflected cross-site scripting (XSS) vulnerability in ACF (Advanced Custom Fields), potentially affecting more than 4.5 million users. WP Engine patched the vulnerability on May 4, but the Akamai Security Intelligence Group (SIG)  is reporting that attackers began attempting to exploit it within 24 hours of Patchstack’s publication.

“Once exploit vector details are publicly released, scanning and exploitation attempts rapidly increase,” Akamai Principal Security Researcher Ryan Barnett said. “It is common for security researchers, hobbyists, and companies searching for their risk profile to examine new vulnerabilities upon release. However, the volume is increasing, and the amount of time between release and said growth is drastically decreasing. The Akamai SIG analyzed XSS attack data and identified attacks starting within 24 hours of the exploit PoC being made public.

“What is particularly interesting about this is the query itself: The threat actor copied and used the Patchstack sample code from the write-up.

Patchstack’s security advisory includes a breakdown of the vulnerability, sample payload, and details of the patch.

Although the vulnerability, assigned CVE-2023-30777, was promptly patched, and WP Engine alerted its users the same day, site owners have been slow to update to the latest, patched version of the plugin (6.1.6). Only 31.5% of the plugin’s user base are running version 6.1+, leaving a significant portion still vulnerable unless they are protected by additional security measures like virtual patches.

“Exploitation of this leads to a reflected XSS attack in which a threat actor can inject malicious scripts, redirects, ads, and other forms of URL manipulation into a victim site,” Barnett said. “This would, in turn, push those illegitimate scripts to visitors of that affected site. This manipulation is essentially blind to the site owner, making these threats even more dangerous.”

Barnett noted that attackers using the sample code from Patchstack indicates these are not sophisticated attempts, but the comprehensive security advisory makes vulnerable sites easy to target.

“This highlights that the response time for attackers is rapidly decreasing, increasing the need for vigorous and prompt patch management,” Barnett said.