Threat actors have started exploiting a recently disclosed vulnerability in WordPress, within 24 hours of the proof-of-concept (PoC) exploit being published by the company, according to a blog by Akamai.
The high-severity vulnerability — CVE-2023-30777, which affects the WordPress Advanced Custom Fields plugin — was identified by a Patchstack researcher on May 2.
The exploitation of the vulnerability leads to a cross-site scripting (XSS) attack in which a threat actor can inject malicious scripts, redirects, advertisements, and other forms of URL manipulation into a victim site. This could, in turn, push those illegitimate scripts to visitors of that affected site. The plugin has over two million active users across the world.