cbcvebase.
CVE-2023-30777
published 2023-05-10

CVE-2023-30777: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WP Engine Advanced Custom Fields Pro, WP Engine Advanced Custom Fields plugins <= 6.1.5 versions.

PriorityP181medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
38.77%
98.4th percentile
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WP Engine Advanced Custom Fields Pro, WP Engine Advanced Custom Fields plugins <= 6.1.5 versions.

Affected

3 ranges
VendorProductVersion rangeFixed in
advancedcustomfieldsadvanced_custom_fields< 6.1.66.1.6
wp_engineadvanced_custom_fieldsn/a – 6.1.5
wp_engineadvanced_custom_fields_pron/a – 6.1.5

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/edit.php?post_type=acf-post-type&post_status=%22style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29%2F%2F
path/wp-admin/edit.php
commandpost_status=%22style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29%2F%2F
  • The XSS payload is injected via the `post_status` GET parameter on the `/wp-admin/edit.php` endpoint with `post_type=acf-post-type`. Look for URL-encoded animation-based XSS payloads in this parameter.
  • The attack requires an authenticated session (login via /wp-login.php) before triggering the XSS on the ACF admin page.
  • Exploitation can lead to theft of cookie-based authentication credentials; monitor for anomalous cookie exfiltration from WordPress admin sessions.
  • Vulnerability affects Advanced Custom Fields and Advanced Custom Fields Pro plugins <= 6.1.5. Presence of these plugin versions on a WordPress site indicates exposure.
  • ·Despite the NVD description labeling this as 'Unauth.' (unauthenticated), the Nuclei template requires a prior authenticated login step before triggering the XSS endpoint, suggesting some level of authentication may be needed in practice.
  • ·The vulnerability is fixed in version 6.1.6; detections targeting plugin version strings should flag any ACF/ACF Pro installation below this version.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.