CVE-2023-30777

Name of the Vulnerable Software and Affected Versions WP Engine Advanced Custom Fields Pro, WP Engine Advanced Custom Fields plugins versions 6.1.5 and earlier

Description The issue is related to an Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in the WP Engine Advanced Custom Fields Pro and WP Engine Advanced Custom Fields plugins. This vulnerability can be exploited by an unauthenticated attacker to conduct cross-site scripting attacks. It has been reported that over 1.4 million websites using the affected plugin have not been updated to the latest version, providing a significant attack surface for malicious actors. Real-world incidents have been observed where this issue was exploited, with attackers using the example code from a publicly available article to launch attacks.

Recommendations For WP Engine Advanced Custom Fields Pro, WP Engine Advanced Custom Fields plugins versions 6.1.5 and earlier, update to version 6.1.6 as soon as possible to protect against the ongoing attacks. As a temporary workaround, consider restricting access to the vulnerable plugin until a patch is applied.