- 08/05/2023 --- v1.0 -- Initial publication
A reflected XSS vulnerability has been discovered in the Advanced Custom Fields (ACF) and Advanced Custom Fields Pro WordPress plugins (versions 6.1.5 and below). This vulnerability allows unauthenticated users to potentially escalate privileges on a WordPress site by tricking a privileged user into visiting a maliciously crafted URL. The issue has been fixed in version 6.1.6, and has been assigned CVE-2023-30777 [1, 2].
The vulnerability is found within the
admin_body_class function in the file:
This function is an extra handler for the
admin_body_class WordPress hook, which is responsible for filtering CSS classes for the main body tag in the admin area. The outputted value of the hook is not properly sanitised and is directly constructed on the HTML page.
admin_body_class function concatenates the
$this->view variable to the
$classes variable, which is then returned as the classes string. However, the sanitisation using the
sanitize_text_field function is insufficient to prevent XSS, as it allows for a DOM XSS payload.
The affected products are:
- Advanced Custom Fields WordPress plugin (Free version), versions 6.1.5 and below.
- Advanced Custom Fields Pro WordPress plugin (Pro version), versions 6.1.5 and below.
To mitigate this vulnerability, users should update the respective plugins to at least version 6.1.6.