CIO News Hubb
Advertisement
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
CIO News Hubb
No Result
View All Result
Home Information Security

New Vulnerability in Popular WordPress Plugin Exposes Over 2 Million Sites to Cyberattacks

admin by admin
May 8, 2023
in Information Security


May 06, 2023Ravie Lakshmanan

Users of Advanced Custom Fields plugin for WordPress are being urged to update version 6.1.6 following the discovery of a security flaw.

The issue, assigned the identifier CVE-2023-30777, relates to a case of reflected cross-site scripting (XSS) that could be abused to inject arbitrary executable scripts into otherwise benign websites.

The plugin, which is available both as a free and pro version, has over two million active installations. The issue was discovered and reported to the maintainers on May 2, 2023.

“This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path,” Patchstack researcher Rafie Muhammad said.

Cybersecurity

Reflected XSS attacks usually occur when victims are tricked into clicking on a bogus link sent via email or another route, causing the malicious code to be sent to the vulnerable website, which reflects the attack back to the user’s browser.

This element of social engineering means that reflected XSS does not have the same reach and scale as stored XSS attacks, prompting threat actors to distribute the malicious link to as many victims as possible.

“[A reflected XSS attack] is typically a result of incoming requests not being sufficiently sanitized, which allows for the manipulation of a web application’s functions and the activation of malicious scripts,” Imperva notes.

WordPress Plugin

It’s worth noting that CVE-2023-30777 can be activated on a default installation or configuration of Advanced Custom Fields, although it’s only possible to do so from logged-in users who have access to the plugin.

The development comes as Craft CMS patched two medium-severity XSS flaws (CVE-2023-30177 and CVE-2023-31144) that could be exploited by a threat actor to serve malicious payloads.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

It also follows the disclosure of another XSS flaw in the cPanel product (CVE-2023-29489, CVSS score: 6.1) that could be exploited without any authentication to run arbitrary JavaScript.

“An attacker can not only attack the management ports of cPanel but also the applications that are running on port 80 and 443,” Assetnote’s Shubham Shah said, adding it could enable an adversary to hijack a valid user’s cPanel session.

“Once acting on behalf of an authenticated user of cPanel, it is usually trivial to upload a web shell and gain command execution.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
Previous Post

Illuminateprofundity ~ Future of CIO

Next Post

Innovativerenewal ~ Future of CIO

Related Posts

Information Security

N. Korean Hackers ‘Mixing’ macOS Malware Tactics to Evade Detection

by admin
November 28, 2023
Information Security

Introducing new central configuration capabilities in AWS Security Hub

by admin
November 28, 2023
Information Security

Cybercriminals Using Telekopye Telegram Bot to Craft Phishing Scams on a Grand Scale

by admin
November 27, 2023
Information Security

How to use the BatchGetSecretValue API to improve your client-side applications with AWS Secrets Manager

by admin
November 27, 2023
Information Security

3 Critical Vulnerabilities Expose ownCloud Users to Data Breaches

by admin
November 26, 2023
Next Post

Innovativerenewal ~ Future of CIO

Recommended

Using AI to Improve ITSM Processes

November 28, 2023

N. Korean Hackers ‘Mixing’ macOS Malware Tactics to Evade Detection

November 28, 2023

Introducing new central configuration capabilities in AWS Security Hub

November 28, 2023

Know these 15 Signs + 15 Tactics to Transform From Floundering to Winning Departments

November 28, 2023

Hong Kong-Pacific Harbor View ~ Future of CIO

November 27, 2023

Cybercriminals Using Telekopye Telegram Bot to Craft Phishing Scams on a Grand Scale

November 27, 2023

© CIO News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

Newsletter Sign Up

No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

© 2022 CIO News Hubb All rights reserved.