WordPress Advanced Custom Fields plugin XSS exposes +2M sites to attacks

A reflected cross-site scripting vulnerability is the Advanced Custom Fields plugin for WordPress exposed over 2 million sites to hacking.

Assetnote researchers discovered a reflected cross-site scripting vulnerability, tracked as CVE-2023-29489 (CVSS score: 6.1), in the Advanced Custom Fields plugin for WordPress. The ACF field builder allows users to quickly and easily add fields to WP edit screens with only the click of a few buttons.

An authenticated attacker can exploit the flaw to achieve command execution, if targeting a logged-in cPanel user.

“It is possible to execute arbitrary JavaScript, pre-authentication in the context of a victim, on almost every port of a webserver using cPanel within its default setup.” reads the advisory published by the researchers.” reads the advisory. “Even on port 80 and 443, it is possible to reach the /cpanelwebcall/ directory as it is being proxied to the cPanel management ports by Apache. Because of this, an attacker can not only attack the management ports of cPanel but also the applications that are running on port 80 and 443.”

The researchers pointed out that the issue is exploitable regardless of whether or not the cPanel management ports (2080, 2082, 2083, 2086) are exposed externally. The researchers reported that the issue is also exploitable to target websites on ports 80 and 443 if they are being managed by cPanel.

The attacker can exploit the issue to hijack a legitimate user’s cPanel session and carry out malicious activities, including uploading a web shell and gaining command execution.

Vulnerable versions are:

• < 11.109.9999.116
• < 11.108.0.13
• < 11.106.0.18
• < 11.102.0.31

administrators are recommended to upgrade their installs to any of the following cPanel versions or above:

• 11.109.9999.116
• 11.108.0.13
• 11.106.0.18
• 11.102.0.31

The vulnerability was discovered by Shubham Shah from the Assetnote Security Research Team.

The flaw was disclosed to cPanel on January 23, 2023, and on March 1st, it was fixed and public disclosure released on cPanel website.

The issue could have a huge impact because the plugin has over two million active installations.

“cPanel has a vast attack surface and it needs more attention from the security researcher community. One of the big blockers during our research of cPanel was the binaries that had been compiled to Perl.” concludes the analysis that also includes a PoC code. “We believe that there are more serious bugs yet to be found within these binaries, although, they are quite painful to work with from a reverse engineering perspective.”

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Advanced Custom Fields)