WordPress plugin vulnerability places two million web sites in danger • Graham Cluley

By
Ztec 100
-
0
287
WordPress plugin vulnerability places two million web sites in danger • Graham Cluley


WordPress plugin vulnerability puts two million websites at risk

A well-liked WordPress plugin may very well be placing round two million web sites liable to assault.

Millions of WordPress-powered web sites are utilizing the Advanced Custom Fields and Advanced Custom Fields Pro plugins, which safety researchers say have been weak to cross-site scripting (XSS) assaults.

The excessive severity vulnerability might have allowed a malicious hacker to inject malicious scripts, resembling redirects, adverts, and different HTML content material into web site that might execute when customers visited the focused web site.

EmailSign as much as our publication
Security information, recommendation, and ideas.

Thankfully, the vulnerability was mitigated considerably by the truth that it might solely be exploited by logged-in customers who had entry to the weak plugin, that means {that a} non-logged-in attacker must trick somebody who was logged in with the suitable privileges to go to a malicious URL to set off an assault.

Although that’s clearly a lot better than if the assault may very well be initiated by anybody acessing the web site, it’s nonetheless necessary that affected websites are patched promptly.

Security researcher Rafie Muhammad found the XSS vulnerability three days in the past, and plugin developer WPEngine launched a patch yesterday.

Administrators of WordPress web sites which can be utilizing the affected plugins ought to guarantee they’ve up to date Advanced Custom Fields to model 6.1.6 or later.

Acf release notes
Advanced Custom Fields plugin changelog.

I take advantage of the Advanced Custom Fields right here on grahamcluley.com, so after I first heard concerning the vulnerability I realised I wanted to patch the plugin throughout the WordPress admin console as shortly as doable.

Fortunately, it turned out that Advanced Custom Fields was one of many plugins that I’ve chosen to permit to robotically replace.

No proof has been offered of anybody maliciously exploiting the safety gap in weak variations of the plugin, though after all that doesn’t imply it hasn’t occurred.

Found this text fascinating? Follow Graham Cluley on Twitter or Mastodon to learn extra of the unique content material we put up.

Graham Cluley is a veteran of the anti-virus trade having labored for quite a few safety firms for the reason that early Nineties when he wrote the primary ever model of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an impartial safety analyst, he repeatedly makes media appearances and is an international public speaker on the subject of laptop safety, hackers, and on-line privateness.
Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an electronic mail.

LEAVE A REPLY

Please enter your comment!
Please enter your name here