Severity
Medium
Analysis Summary
CVE-2023-40068
Advanced Custom Fields plugin for WordPress and Advanced Custom Fields Pro plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
Impact
- Cross-Site Scripting
Indicators Of Compromise
CVE
- CVE-2023-40068
Affected Vendors
WordPress
Affected Products
- Advanced Custom Fields plugin for WordPress 6.1.0
- Advanced Custom Fields Pro plugin for WordPress 6.1.7
Remediation
Upgrade to the latest version of Advanced Custom Fields plugin for WordPress or Advanced Custom Fields Pro plugin for WordPress, available from the WordPress Plugin Directory and the Advanced Custom Fields Website.