A vulnerability in a popular plugin, with more than 2 million active installations, is being used by hackers to steal sensitive data from visitors. In some cases, the vulnerability leads to a complete takeover of the website.
The plugin is called Advanced Custom and it gives website admins control over the website’s content and data. The plugin has a serious cross-site scripting (XSS) vulnerability that lets attacks inject malicious code into websites. The code executes in the visitor’s browser and can be used to grab sensitive data. If the visitor is also the site’s admin, an attacker can use the data to take over the website.
The vulnerability was discovered by Patchstack researcher Rafie Muhammad in early February 2023. He reported it to the plugin’s vendor, Delicious Brains. The vulnerability was rated 6.1/10 in severity.
“This vulnerability allows any unauthenticated user [to steal] sensitive information to, in this case, privilege escalation on the WordPress site by tricking the privileged user to visit the crafted URL path,” Patchstack wrote in its report.
The vulnerability in the plugin stems from the ‘admin_body_class’ function handler that fails to properly sanitize the output value of a hook. This value controls and filters the CSS classes for the main body tag. There is also a cleaning function ‘sanitize_text_field’ used by the plugin but this function cannot stop the attack because it doesn’t catch the malicious code injection.
Developers of the plugin fixed the vulnerability in early April and pushed updated code in version 6.1.6. If you also use this plugin in your WordPress website, update the plugin as soon as possible.
WordPress is the most popular content management system that powers around 43.2 percent of all websites. Due to its popularity, it is also one of the primary targets of hackers who want to exploit flaws to hack websites.
