{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-027.pdf"
    },
    "title": "Critical Vulnerability in Wordpress Plugins",
    "serial_number": "2023-027",
    "publish_date": "08-05-2023 13:04:49",
    "description": "A reflected XSS vulnerability has been discovered in the Advanced Custom Fields (ACF) and Advanced Custom Fields Pro WordPress plugins (versions 6.1.5 and below). This vulnerability allows unauthenticated users to potentially escalate privileges on a WordPress site by tricking a privileged user into visiting a maliciously crafted URL. The issue has been fixed in version 6.1.6, and has been assigned CVE-2023-30777.<br>\n",
    "url_title": "2023-027",
    "content_markdown": "--- \ntitle: 'Critical Vulnerability in\u00a0Wordpress\u00a0Plugins' \nversion: '1.0'\nnumber: '2023-027'\noriginal_date: 'May 5, 2023'\ndate: 'May 8, 2023'\n---\n\n_History:_\n\n* _08/05/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nA reflected XSS vulnerability has been discovered in the Advanced Custom Fields (ACF) and Advanced Custom Fields Pro WordPress plugins (versions 6.1.5 and below). This vulnerability allows unauthenticated users to potentially escalate privileges on a WordPress site by tricking a privileged user into visiting a maliciously crafted URL. The issue has been fixed in version 6.1.6, and has been assigned CVE-2023-30777 [1, 2].\n\n# Technical Details\n\nThe vulnerability is found within the `admin_body_class` function in the file:\n\n `includes/admin/admin-internal-post-type-list.php` \n \n This function is an extra handler for the `admin_body_class` WordPress hook, which is responsible for filtering CSS classes for the main body tag in the admin area. The outputted value of the hook is not properly sanitised and is directly constructed on the HTML page.\n\nThe `admin_body_class` function concatenates the `$this->view` variable to the `$classes` variable, which is then returned as the classes string. However, the sanitisation using the `sanitize_text_field` function is insufficient to prevent XSS, as it allows for a DOM XSS payload.\n\n# Affected Products\n\nThe affected products are:\n\n- Advanced Custom Fields WordPress plugin (Free version), versions 6.1.5 and below.\n- Advanced Custom Fields Pro WordPress plugin (Pro version), versions 6.1.5 and below.\n\n# Recommendations\n\nTo mitigate this vulnerability, users should update the respective plugins to at least version 6.1.6.\n\n# References\n\n[1] <https://patchstack.com/articles/reflected-xss-in-advanced-custom-fields-plugins-affecting-2-million-sites/> \n\n[2] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30777>",
    "content_html": "<p><em>History:</em></p><ul><li><em>08/05/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>A reflected XSS vulnerability has been discovered in the Advanced Custom Fields (ACF) and Advanced Custom Fields Pro WordPress plugins (versions 6.1.5 and below). This vulnerability allows unauthenticated users to potentially escalate privileges on a WordPress site by tricking a privileged user into visiting a maliciously crafted URL. The issue has been fixed in version 6.1.6, and has been assigned CVE-2023-30777 [1, 2].</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability is found within the <code>admin_body_class</code> function in the file:</p><p><code>includes/admin/admin-internal-post-type-list.php</code> </p><p>This function is an extra handler for the <code>admin_body_class</code> WordPress hook, which is responsible for filtering CSS classes for the main body tag in the admin area. The outputted value of the hook is not properly sanitised and is directly constructed on the HTML page.</p><p>The <code>admin_body_class</code> function concatenates the <code>$this-&gt;view</code> variable to the <code>$classes</code> variable, which is then returned as the classes string. However, the sanitisation using the <code>sanitize_text_field</code> function is insufficient to prevent XSS, as it allows for a DOM XSS payload.</p><h2 id=\"affected-products\">Affected Products</h2><p>The affected products are:</p><ul><li>Advanced Custom Fields WordPress plugin (Free version), versions 6.1.5 and below.</li><li>Advanced Custom Fields Pro WordPress plugin (Pro version), versions 6.1.5 and below.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>To mitigate this vulnerability, users should update the respective plugins to at least version 6.1.6.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://patchstack.com/articles/reflected-xss-in-advanced-custom-fields-plugins-affecting-2-million-sites/\">https://patchstack.com/articles/reflected-xss-in-advanced-custom-fields-plugins-affecting-2-million-sites/</a> </p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30777\">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30777</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}