Ethical Hacking News Hubb
Advertisement Banner
  • Home
  • News
  • Ethical Hackers
  • Contact
No Result
View All Result
  • Home
  • News
  • Ethical Hackers
  • Contact
No Result
View All Result
Wellnessnewshubb
No Result
View All Result
Home Ethical Hackers

New Vulnerability in Popular WordPress Plugin Exposes Over 2 Million Sites to Cyberattacks

admin by admin
May 8, 2023
in Ethical Hackers


May 06, 2023Ravie Lakshmanan

Users of Advanced Custom Fields plugin for WordPress are being urged to update version 6.1.6 following the discovery of a security flaw.

The issue, assigned the identifier CVE-2023-30777, relates to a case of reflected cross-site scripting (XSS) that could be abused to inject arbitrary executable scripts into otherwise benign websites.

The plugin, which is available both as a free and pro version, has over two million active installations. The issue was discovered and reported to the maintainers on May 2, 2023.

“This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path,” Patchstack researcher Rafie Muhammad said.

Cybersecurity

Reflected XSS attacks usually occur when victims are tricked into clicking on a bogus link sent via email or another route, causing the malicious code to be sent to the vulnerable website, which reflects the attack back to the user’s browser.

This element of social engineering means that reflected XSS does not have the same reach and scale as stored XSS attacks, prompting threat actors to distribute the malicious link to as many victims as possible.

“[A reflected XSS attack] is typically a result of incoming requests not being sufficiently sanitized, which allows for the manipulation of a web application’s functions and the activation of malicious scripts,” Imperva notes.

WordPress Plugin

It’s worth noting that CVE-2023-30777 can be activated on a default installation or configuration of Advanced Custom Fields, although it’s only possible to do so from logged-in users who have access to the plugin.

The development comes as Craft CMS patched two medium-severity XSS flaws (CVE-2023-30177 and CVE-2023-31144) that could be exploited by a threat actor to serve malicious payloads.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

It also follows the disclosure of another XSS flaw in the cPanel product (CVE-2023-29489, CVSS score: 6.1) that could be exploited without any authentication to run arbitrary JavaScript.

“An attacker can not only attack the management ports of cPanel but also the applications that are running on port 80 and 443,” Assetnote’s Shubham Shah said, adding it could enable an adversary to hijack a valid user’s cPanel session.

“Once acting on behalf of an authenticated user of cPanel, it is usually trivial to upload a web shell and gain command execution.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
Previous Post

Prototype Of A Fuzzer That Does Not Directly Mutate Inputs (As Most Fuzzers Do) But Instead Uses A So-Called Generator Application To Produce An Input For Our Fuzzing Target

Next Post

The best IKEv2 VPNs for 2023

Next Post

The best IKEv2 VPNs for 2023

Recommended

How to watch The Dragon Prince Season 4 online

7 months ago

Scans Software Bill Of Materials (SBOMs) For Security Vulnerabilities

7 months ago

© Ethical Hacking News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Ethical Hackers
  • Contact

Newsletter Sign Up.

No Result
View All Result
  • Home
  • News
  • Ethical Hackers
  • Contact

© 2022 Ethical Hacking News Hubb All rights reserved.