With over 2+ million active installations, Advanced Custom Fields (ACF) is one of the most popular WordPress plugins. In recent news, researchers have discovered a cross-site scripting (XSS) vulnerability in the plugin, which could potentially comprise the data of 2 million websites. A researcher from Patchstack discovered this high-severity XSS vulnerability (identified as CVE-2023-30777).
XSS bugs allow unauthenticated users (hackers) to inject malicious scripts on websites. If a visitor opens this XSS-infected site, it could lead to the execution of a code on the visitor’s web browser leading to data theft.
The XSS vulnerability in the ACF plugin could allow a hacker to steal sensitive information, which could prove to be quite drastic. Through this bug, the hacker could even trick privileged users to click and visit a malicious URL path. It has further been noted that the vulnerability could be triggered by default as soon as a user installs and configures the ACF plugin.
However, quick action has been taken on this vulnerability by the ACF team. They’ve released the 6.1.6 version of the plugin, providing a fix for the vulnerability. With the security risk removed, users can now use the plugin worry-free.
With the rise in the growth of online businesses, security threats have become quite regular and common. It is for this reason that you should ensure to keep your WordPress plugins, themes, and other software up-to-date. Regular WordPress website maintenance should be an integral part of your daily routine.
This will help you weed out issues before they become serious problems. Most importantly, not resolving potential security threats could hurt your site’s traffic, ranking, and brand credibility. Thus, make website maintenance a top priority to ensure your website functions seamlessly.