On May 5, Patchstack released a security advisory regarding a high severity reflected cross-site scripting (XSS) vulnerability in ACF (Advanced Custom Fields), which could potentially affect over 4.5 million users. WP Engine quickly patched the vulnerability on May 4, but the Akamai Security Intelligence Group (SIG) has reported that attackers began attempting to exploit it within 24 hours of Patchstack’s publication.
According to Akamai Principal Security Researcher Ryan Barnett, “Once exploit vector details are publicly released, scanning and exploitation attempts rapidly increase.” He added that it is common for security researchers and companies to examine new vulnerabilities upon release, but the volume of attacks is increasing, and the time between release and growth is decreasing. The Akamai SIG analyzed XSS attack data and identified attacks starting within 24 hours of the exploit PoC being made public.
“What is particularly interesting about this is the query itself: The threat actor copied and used the Patchstack sample code from the write-up,” Barnett said.
Patchstack’s security advisory includes a breakdown of the vulnerability, sample payload, and details of the patch. Although the vulnerability, assigned CVE-2023-30777, was promptly patched, site owners have been slow to update to the latest, patched version of the plugin (6.1.6). Only 31.5% of the plugin’s user base are running version 6.1+, leaving a significant portion still vulnerable unless they are protected by additional security measures like virtual patches.
“Exploitation of this leads to a reflected XSS attack in which a threat actor can inject malicious scripts, redirects, ads, and other forms of URL manipulation into a victim site,” Barnett said. “This would, in turn, push those illegitimate scripts to visitors of that affected site. This manipulation is essentially blind to the site owner, making these threats even more dangerous.”
Barnett noted that attackers using the sample code from Patchstack indicates these are not sophisticated attempts, but the comprehensive security advisory makes vulnerable sites easy to target. “This highlights that the response time for attackers is rapidly decreasing, increasing the need for vigorous and prompt patch management,” Barnett said.
In conclusion, it is crucial for site owners to update their ACF plugin to the latest, patched version (6.1.6) to avoid falling victim to this vulnerability. Additionally, implementing additional security measures like virtual patches can provide an extra layer of protection. As the volume and speed of attacks continue to increase, prompt patch management is essential to ensure website security.