Assetnote researchers discovered a reflected cross-site scripting vulnerability, tracked as CVE-2023-29489 (CVSS score: 6.1), in the Advanced Custom Fields plugin for WordPress. The ACF field builder allows users to quickly and easily add fields to WP edit screens with only the click of a few buttons.
An authenticated attacker can exploit the flaw to achieve command execution, if targeting a logged-in cPanel user.
“It is possible to execute arbitrary JavaScript, pre-authentication in the context of a victim, on almost every port of a webserver using cPanel within its default setup.” reads the advisory published by the researchers.” reads the advisory. “Even on port 80 and 443, it is possible to reach the /cpanelwebcall/
directory as it is being proxied to the cPanel management ports by Apache. Because of this, an attacker can not only attack the management ports of cPanel but also the applications that are running on port 80 and 443.”
The researchers pointed out that the issue is exploitable regardless of whether or not the cPanel management ports (2080, 2082, 2083, 2086) are exposed externally. The researchers reported that the issue is also exploitable to target websites on ports 80 and 443 if they are being managed by cPanel.
The attacker can exploit the issue to hijack a legitimate user’s cPanel session and carry out malicious activities, including uploading a web shell and gaining command execution.
Vulnerable versions are:
administrators are recommended to upgrade their installs to any of the following cPanel versions or above:
The vulnerability was discovered by Shubham Shah from the Assetnote Security Research Team.
The flaw was disclosed to cPanel on January 23, 2023, and on March 1st, it was fixed and public disclosure released on cPanel website.
The issue could have a huge impact because the plugin has over two million active installations.
“cPanel has a vast attack surface and it needs more attention from the security researcher community. One of the big blockers during our research of cPanel was the binaries that had been compiled to Perl.” concludes the analysis that also includes a PoC code. “We believe that there are more serious bugs yet to be found within these binaries, although, they are quite painful to work with from a reverse engineering perspective.”
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Advanced Custom Fields)
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Windows flaws to its Known Exploited…
Ivanti addressed two Endpoint Manager Mobile (EPMM) software vulnerabilities that have been exploited in limited…
Microsoft Patch Tuesday security updates for May 2025 addressed 75 security flaws across multiple products, including…
Fortinet fixed a critical remote code execution zero-day vulnerability actively exploited in attacks targeting FortiVoice…
Interlock Ransomware 's attack on a defense contractor exposed global defense supply chain details, risking…
Marks and Spencer (M&S) confirms that threat actors stole customer data in the ransomware attack…
This website uses cookies.