WordPress plugin has a new vulnerability that sites vulnerable to cyberattacks (12th May2023)

Ref# AL2023_31 | Date: May 12th 2023

Description 

Sites Are at Risk of Cyber attacks Due to a New Vulnerability in a Popular WordPress Plugin. By deceiving a privileged user into visiting the created URL (Uniform Resource Locators) path, this vulnerability enables any unauthenticated user to steal sensitive information to, in this case, privilege escalation on the WordPress site. 

Details 

The vulnerability was identified as CVE-2023-30777, The “admin_body_class” function handler”s failure to properly sanitize the output value of a hook that manages and filters the CSS classes (design and layout) for the main body tag in the admin area of WordPress sites is the cause of the CVE-2023-30777 bug. 

An attacker can put malicious code (DOM XSS payloads) in the plugin”s components that will pass to the finished result, a class string, by using an unsafe direct code concatenation on the plugin”s code, specifically the “$thisview” variable. 

Sanitize_text_field, the plugin”s cleaning function, will not be able to stop the attack because it does not detect the malicious code injection. 

Remediation   

The primary cause of the problem is that the code improperly sanitized a variable before it was constructed directly on the HTML. The problem can be fixed by implementing the esc_attr function. Users of versions 6.1.5 and below of the Advanced Custom Fields and Advanced Custom Fields Pro plugins are urged to update to version 6.1.6 to protect their websites from this XSS vulnerability. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.    

PDF Download: WordPress plugin has a new vulnerability.pdf

References