ACF Fixes Reflected XSS Vulnerability Affecting Over 2 Million Users
Advanced Custom Fields (ACF) has recently fixed a reflected XSS vulnerability that could potentially impact over 2 million users of versions 6.1.5 and below of ACF and ACF Pro. The vulnerability was discovered by Rafie Muhammad, a researcher from Patchstack, in February 2023. The ACF developers have since patched the vulnerability in version 6.1.6 in April.
According to Muhammad, the vulnerability allows any unauthenticated user to steal sensitive information, such as privilege escalation on the WordPress site, by tricking a privileged user to visit the crafted URL path. The vulnerability was given a high severity CVSS score of 3.1. Muhammad also outlined a proof of concept in the security bulletin.
At present, there have been no known exploits of the vulnerability. However, ACF free and ACF Pro users are advised to update to the latest 6.1.6 version of the plugin as soon as possible to avoid any potential security risks.
In conclusion, ACF has taken swift action to patch the reflected XSS vulnerability discovered by Patchstack researcher Rafie Muhammad. Users of ACF and ACF Pro should update to the latest version of the plugin to ensure their WordPress site remains secure.