Official forum for Utopia Community
You are not logged in.
An update to version 6.1 is advised for users of the Advanced Custom Fields plugin for WordPress. 6 after a security hole was found.
The problem, known as CVE-2023-30777, is with reflected cross-site scripting (XSS), which can be used to insert arbitrary executable scripts into otherwise innocent websites.
Over two million people have installed the plugin, which is offered in both a free and paid version. The problem was identified on May 2, 2023, and it was reported to the maintainers.
According to a Patchstack researcher, "This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path.".
Reflected XSS attacks typically take place when targets are duped into clicking on a fake link sent via email or another channel, which sends the malicious code to the vulnerable website and reflects the attack back to the user's browser.
Threat actors spread the malicious link to as many victims as they can because reflected XSS attacks do not have the same reach and scope as stored XSS attacks due to this social engineering component.
Imperva states that "[a reflected XSS attack] is usually the result of incoming requests not being sufficiently sanitized, which permits the manipulation of a web application's functions and the activation of malicious scripts.".
A plugin for WordPress.
It's important to note that CVE-2023-30777 can be activated on an Advanced Custom Fields installation or configuration that is set up by default, though this can only be done by logged-in users who have access to the plugin.
The change occurs after Craft CMS patched two medium-severity XSS flaws (CVE-2023-30177 and CVE-2023-31144) that a threat actor could use to serve malicious payloads.
It also comes after the disclosure of another XSS flaw in the cPanel product (CVE-2023-29489, CVSS score: 6.1) that could be used to run arbitrary JavaScript without any authentication.
Assetnote's Shubham Shah stated that "an attacker can not only attack the management ports of cPanel but also the applications that are running on port 80 and 443," adding that it could allow an adversary to hijack a legitimate user's cPanel session.
"Once acting on behalf of a cPanel user who has been authenticated, it is typically simple to upload a web shell and obtain command execution. ".
Host your website on the UtopiaP2P network and be safe from all this and more.
Offline
When you mean they have a new vulnerability do you mean that they were hacked up to the tune of 2 million dollars or they are susceptible to hack.
Offline
When you mean they have a new vulnerability do you mean that they were hacked up to the tune of 2 million dollars or they are susceptible to hack.
Dollars were not included in my post and when I said over 2 million it means over 2 million users of the WordPress plugin were affected by the security hole.
Offline
KAMSI_UG;7870 wrote:When you mean they have a new vulnerability do you mean that they were hacked up to the tune of 2 million dollars or they are susceptible to hack.
Dollars were not included in my post and when I said over 2 million it means over 2 million users of the WordPress plugin were affected by the security hole.
What i can say is that we need to be more careful because the threat actors are not joking this days and they can easily spread malicious file link to millions victims with just a single click.
Offline
thrive;7921 wrote:KAMSI_UG;7870 wrote:When you mean they have a new vulnerability do you mean that they were hacked up to the tune of 2 million dollars or they are susceptible to hack.
Dollars were not included in my post and when I said over 2 million it means over 2 million users of the WordPress plugin were affected by the security hole.
What i can say is that we need to be more careful because the threat actors are not joking this days and they can easily spread malicious file link to millions victims with just a single click.
I think the developer team of the WordPress plugin that created the update version 6 should be held accountable for the loss of the threat actor victim because they ought to check for security vulnerabilities before making the WordPress plugin 6 available to the public.
Offline
IyaJJJ;7922 wrote:thrive;7921 wrote:Dollars were not included in my post and when I said over 2 million it means over 2 million users of the WordPress plugin were affected by the security hole.
What i can say is that we need to be more careful because the threat actors are not joking this days and they can easily spread malicious file link to millions victims with just a single click.
I think the developer team of the WordPress plugin that created the update version 6 should be held accountable for the loss of the threat actor victim because they ought to check for security vulnerabilities before making the WordPress plugin 6 available to the public.
Yes, they can be held accountable for the drawback that causes the vulnerabilities but the point is the solution that people using the WordPress plugin needed for now.
Offline
full;7926 wrote:IyaJJJ;7922 wrote:What i can say is that we need to be more careful because the threat actors are not joking this days and they can easily spread malicious file link to millions victims with just a single click.
I think the developer team of the WordPress plugin that created the update version 6 should be held accountable for the loss of the threat actor victim because they ought to check for security vulnerabilities before making the WordPress plugin 6 available to the public.
Yes, they can be held accountable for the drawback that causes the vulnerabilities but the point is the solution that people using the WordPress plugin needed for now.
That's simple according to the information provided what the user that had WordPress 6 need to do now is to prevent the attack operation is to update to WordPress plugin version 6.1
Offline
full;7926 wrote:IyaJJJ;7922 wrote:What i can say is that we need to be more careful because the threat actors are not joking this days and they can easily spread malicious file link to millions victims with just a single click.
I think the developer team of the WordPress plugin that created the update version 6 should be held accountable for the loss of the threat actor victim because they ought to check for security vulnerabilities before making the WordPress plugin 6 available to the public.
Yes, they can be held accountable for the drawback that causes the vulnerabilities but the point is the solution that people using the WordPress plugin needed for now.
I agree with you the solution to the issue is the most important thing but the developer team also needs to be held responsible so they will be more careful in the near future and not make the same mistake.
Offline