Hacking

WordPress Advanced Custom Fields plugin XSS exposes +2M sites to attacks

A reflected cross-site scripting vulnerability is the Advanced Custom Fields plugin for WordPress exposed over 2 million sites to hacking.

Assetnote researchers discovered a reflected cross-site scripting vulnerability, tracked as CVE-2023-29489 (CVSS score: 6.1), in the Advanced Custom Fields plugin for WordPress. The ACF field builder allows users to quickly and easily add fields to WP edit screens with only the click of a few buttons.

An authenticated attacker can exploit the flaw to achieve command execution, if targeting a logged-in cPanel user.

“It is possible to execute arbitrary JavaScript, pre-authentication in the context of a victim, on almost every port of a webserver using cPanel within its default setup.” reads the advisory published by the researchers.” reads the advisory. “Even on port 80 and 443, it is possible to reach the /cpanelwebcall/ directory as it is being proxied to the cPanel management ports by Apache. Because of this, an attacker can not only attack the management ports of cPanel but also the applications that are running on port 80 and 443.”

The researchers pointed out that the issue is exploitable regardless of whether or not the cPanel management ports (2080, 2082, 2083, 2086) are exposed externally. The researchers reported that the issue is also exploitable to target websites on ports 80 and 443 if they are being managed by cPanel.

The attacker can exploit the issue to hijack a legitimate user’s cPanel session and carry out malicious activities, including uploading a web shell and gaining command execution.

Vulnerable versions are:

  • < 11.109.9999.116
  • < 11.108.0.13
  • < 11.106.0.18
  • < 11.102.0.31

administrators are recommended to upgrade their installs to any of the following cPanel versions or above:

  • 11.109.9999.116
  • 11.108.0.13
  • 11.106.0.18
  • 11.102.0.31

The vulnerability was discovered by Shubham Shah from the Assetnote Security Research Team.

The flaw was disclosed to cPanel on January 23, 2023, and on March 1st, it was fixed and public disclosure released on cPanel website.

The issue could have a huge impact because the plugin has over two million active installations.

“cPanel has a vast attack surface and it needs more attention from the security researcher community. One of the big blockers during our research of cPanel was the binaries that had been compiled to Perl.” concludes the analysis that also includes a PoC code. “We believe that there are more serious bugs yet to be found within these binaries, although, they are quite painful to work with from a reverse engineering perspective.”

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Advanced Custom Fields)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Windows flaws to its Known Exploited…

49 minutes ago

Ivanti fixed two EPMM flaws exploited in limited attacks

Ivanti addressed two Endpoint Manager Mobile (EPMM) software vulnerabilities that have been exploited in limited…

3 hours ago

Microsoft Patch Tuesday security updates for May 2025 fixed 5 actively exploited zero-days

Microsoft Patch Tuesday security updates for May 2025 addressed 75 security flaws across multiple products, including…

11 hours ago

Fortinet fixed actively exploited FortiVoice zero-day<gwmw style="display:none;"></gwmw><gwmw style="display:none;"></gwmw>

Fortinet fixed a critical remote code execution zero-day vulnerability actively exploited in attacks targeting FortiVoice…

13 hours ago

How Interlock Ransomware Affects the Defense Industrial Base Supply Chain

Interlock Ransomware 's attack on a defense contractor exposed global defense supply chain details, risking…

1 day ago

Marks and Spencer confirms data breach after April cyber attack

Marks and Spencer (M&S) confirms that threat actors stole customer data in the ransomware attack…

1 day ago