Logo Cineca Logo SCAI
MARCONI status
verde
GALILEO100 status
verde
LEONARDO status
verde

You are here

HomeCenter newsVulnerability in wordpress plugin 'Advanced Custom Fields'

Vulnerability in wordpress plugin 'Advanced Custom Fields'

Error message

Deprecated function: unserialize(): Passing null to parameter #1 ($data) of type string is deprecated in css_injector_init() (line 53 of /prod_service02/web-prod/hpc-web/sites/all/modules/css_injector/css_injector.module).
15/05/2023

Dear Users,

 

The vulnerability in question is CVE-2023-30777, a high-severity reflected cross-site scripting (XSS) flaw that allows unauthenticated attackers to steal sensitive information and escalate their privileges on impacted WordPress sites.

The XSS flaw requires the involvement of a logged-in user who has access to the plugin to run malicious code on their browser that will give the attackers high-privileged access to the site.

The malicious scans indicate that this mitigation factor doesn't dishearten threat actors who trust that they can overcome it through basic trickery and social engineering.

Also, the exploit works on default configurations of the impacted plugin versions, which increases the chances of success for the threat actors without requiring extra effort.

We recommend Users working with WordPress in their Virtual Machines on Cineca Cloud to upgrade 'Advanced Custom Fields' free and pro plugins to version 5.12.6 (backported) and 6.1.6.

 

https://www.bleepingcomputer.com/news/security/hackers-use-public-exploit-to-attack-vulnerable-wordpress-sites/

 

Best regards,

HPC User Support @ CINECA

© Copyright 2012 SCAI - SuperComputing Applications and Innovation - CINECA (P.IVA: 00502591209  -  Privacy e Cookies policy)