There is a Threat to 2 million websites due to WordPress bug. Graham Cluley posted an update on his blog on May 5th, warning that the plugin vulnerability could leave multiple websites open to cross-site scripting (XSS) attacks.
These occur when an unscrupulous hacker injects malicious coding or scripts into an otherwise benign code used by an app or website.
“Millions of WordPress-powered websites are using the Advanced Custom Fields and Advanced Custom Fields Pro plugins, which security researchers say have been vulnerable to cross-site scripting (XSS) attacks,” said Cluley.
He added that this “high severity vulnerability” could be used by a “malicious hacker” to inject code into redirects, adverts, and other HTML content used by websites that would then target users visiting the infected website.
Cluley added that the glitch severity was “somewhat mitigated” by its reliance on social engineering, essentially when a bad actor dupes another computer user into clicking on a malicious link.
“It could only be exploited by logged-in users who had access to the vulnerable plugin, meaning that a non-logged-in attacker would have to trick someone who was logged in with the appropriate privileges to visit a malicious URL to trigger an attack,” said Cluley.
He added: “Although that is clearly much better than if the attack could be initiated by anyone accessing the website, it’s still important that affected sites are patched promptly.”
Cluley credited security researcher Rafie Muhammad for discovering the XSS bug three days previously.
Source: cybernews
Have a query? Contact Us