Advanced Custom Fields Plugin Patches Reflected XSS Vulnerability – WP Tavern
Superior Customized Fields (ACF) has patched a mirrored XSS vulnerability that impacts variations 6.1.5 and under of ACF and ACF Professional, probably impacting greater than 2+ million customers. It was found by Patchstack researcher Rafie Muhammad in Might 2, 2023, and patched by ACF builders in model 6.1.6 on Might 5, 2023.
Patchstack published a security bulletin and Muhammad described the vulnerability as follows:
This vulnerability permits any unauthenticated person to steal delicate data for, on this case, privilege escalation on the WordPress web site by tricking a privileged person to go to the crafted URL path.
The vulnerability was given a excessive severity CVSS rating of three.1. Muhammad outlined a proof of idea within the safety bulletin. Right now, the vulnerability is just not recognized to have been exploited. ACF free and ACF Professional customers ought to replace to the most recent 6.1.6 model of the plugin as quickly as attainable.