CVE-2023-30777
published 2023-05-10CVE-2023-30777: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WP Engine Advanced Custom Fields Pro, WP Engine Advanced Custom Fields plugins <= 6.1.5 versions.
PriorityP181medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
38.77%
98.4th percentile
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WP Engine Advanced Custom Fields Pro, WP Engine Advanced Custom Fields plugins <= 6.1.5 versions.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advancedcustomfields | advanced_custom_fields | < 6.1.6 | 6.1.6 |
| wp_engine | advanced_custom_fields | n/a – 6.1.5 | — |
| wp_engine | advanced_custom_fields_pro | n/a – 6.1.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/edit.php?post_type=acf-post-type&post_status=%22style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29%2F%2F
path/wp-admin/edit.php
commandpost_status=%22style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29%2F%2F
- →The XSS payload is injected via the `post_status` GET parameter on the `/wp-admin/edit.php` endpoint with `post_type=acf-post-type`. Look for URL-encoded animation-based XSS payloads in this parameter.
- →The attack requires an authenticated session (login via /wp-login.php) before triggering the XSS on the ACF admin page.
- →Exploitation can lead to theft of cookie-based authentication credentials; monitor for anomalous cookie exfiltration from WordPress admin sessions.
- →Vulnerability affects Advanced Custom Fields and Advanced Custom Fields Pro plugins <= 6.1.5. Presence of these plugin versions on a WordPress site indicates exposure. ↗
- ·Despite the NVD description labeling this as 'Unauth.' (unauthenticated), the Nuclei template requires a prior authenticated login step before triggering the XSS endpoint, suggesting some level of authentication may be needed in practice.
- ·The vulnerability is fixed in version 6.1.6; detections targeting plugin version strings should flag any ACF/ACF Pro installation below this version. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c463-967w-9f3r: Unauth
ghsa_unreviewed·2023-07-06
CVE-2023-30777 [MEDIUM] CWE-79 GHSA-c463-967w-9f3r: Unauth
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WP Engine Advanced Custom Fields Pro, WP Engine Advanced Custom Fields plugins <= 6.1.5 versions.
VulnCheck
advancedcustomfields advanced_custom_fields Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2023·CVSS 7.1
CVE-2023-30777 [HIGH] advancedcustomfields advanced_custom_fields Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
advancedcustomfields advanced_custom_fields Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WP Engine Advanced Custom Fields Pro, WP Engine Advanced Custom Fields plugins <= 6.1.5 versions.
Affected: advancedcustomfields advanced_custom_fields
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.akamai.com/blog/security-research/attackers-leverage-sample-exploit-wordpress-plugin
Exploit PoC: https://vulncheck.com/xdb/dcd6d015659b
No detection rules found.
Nuclei
Advanced Custom Fields < 6.1.6 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2023-30777 [MEDIUM] Advanced Custom Fields < 6.1.6 - Cross-Site Scripting
Advanced Custom Fields < 6.1.6 - Cross-Site Scripting
Advanced Custom Fields beofre 6.1.6 is susceptible to cross-site scripting via the post_status parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Template:
id: CVE-2023-30777
info:
name: Advanced Custom Fields < 6.1.6 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
Advanced Custom Fields beofre 6.1.6 is susceptible to cross-site scripting via the post_status parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the bro
Sentinelone
Beyond the WebP Flaw | An In-depth Look at 2023's Browser Security Challenges
blogs_sentinelone·2023-10-03
Beyond the WebP Flaw | An In-depth Look at 2023's Browser Security Challenges
This week, Firefox users were urged to apply Mozilla’s latest updates against a critical flaw that could allow attackers to take control of affected systems. It follows hard on the heels of similar updates for Microsoft Edge, Google Chrome, and Apple’s Safari browser. All have been heavily impacted by an actively exploited vulnerability in the WebP code library.
Although the WebP vulnerability affects other software as well, browsers are by far and away the most ubiquitous and widely used applications on end user devices . Having a foothold in a compromised browser gives threat actors access to sensitive information and potential avenues into targeted environments.
In this post, we take a deep dive into browser security , exploring the differences between vulnerabilities and exploits, ze
Sentinelone
Beyond the WebP Flaw | An In-depth Look at 2023's Browser Security Challenges
blogs_sentinelone·2023-10-03
Beyond the WebP Flaw | An In-depth Look at 2023's Browser Security Challenges
This week, Firefox users were urged to apply Mozilla’s latest updates against a critical flaw that could allow attackers to take control of affected systems. It follows hard on the heels of similar updates for Microsoft Edge, Google Chrome, and Apple’s Safari browser. All have been heavily impacted by an actively exploited vulnerability in the WebP code library.
Although the WebP vulnerability affects other software as well, browsers are by far and away the most ubiquitous and widely used applications on end user devices. Having a foothold in a compromised browser gives threat actors access to sensitive information and potential avenues into targeted environments.
In this post, we take a deep dive into browser security, exploring the differences between vulnerabilities and exploits, zero
Checkpoint
8th May – Threat Intelligence Report
blogs_checkpoint·2023-05-08
CVE-2023-27964 8th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 8th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 8th May, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
The City of Dallas, Texas has suffered a ransomware attack conducted by Royal ransomware gang. The attack caused a network outage of its Information and Technology Services (ITS), including Dallas police department, Dallas fire-rescue, Dallas municipal court, payment systems and more.
Check Point Harmony Endpoint provides protection
https://patchstack.com/articles/reflected-xss-in-advanced-custom-fields-plugins-affecting-2-million-sites?_s_id=cvehttps://patchstack.com/database/vulnerability/advanced-custom-fields-pro/wordpress-advanced-custom-fields-pro-plugin-6-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cvehttps://patchstack.com/database/vulnerability/advanced-custom-fields/wordpress-advanced-custom-fields-plugin-6-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cvehttps://patchstack.com/articles/reflected-xss-in-advanced-custom-fields-plugins-affecting-2-million-sites?_s_id=cvehttps://patchstack.com/database/vulnerability/advanced-custom-fields-pro/wordpress-advanced-custom-fields-pro-plugin-6-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cvehttps://patchstack.com/database/vulnerability/advanced-custom-fields/wordpress-advanced-custom-fields-plugin-6-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
2023-05-10
Published
Exploited in the wild