WP Engine Advanced Custom Fields Unauthenticated Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the WP Engine Advanced Custom Fields Pro and Free plugins, affecting versions 6.1.5 and prior. This vulnerability allows unauthenticated users to inject malicious scripts that could be executed by users with administrative privileges, potentially leading to the theft of sensitive information or privilege escalation on the WordPress site.

Impact

Exploitation of this vulnerability could allow for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, log into a WordPress site with the vulnerable version of the Advanced Custom Fields plugin. Then, navigate to the admin area and use the 'edit.php' page for 'acf-field-group' post type. The XSS payload can be injected through the 'post_status' parameter in the URL, which is not properly sanitized before being outputted as a CSS class in the admin body.

Remediation

Users are advised to update the Advanced Custom Fields plugin to version 6.1.6 or later. Patchstack users can enable auto-updates for vulnerable plugins.