Advanced Custom Fields (ACF) has patched a reflected XSS vulnerability that affects versions 6.1.5 and below of ACF and ACF Pro, potentially impacting more than 2+ million users. It was discovered by Patchstack researcher Rafie Muhammad in May 2, 2023, and patched by ACF developers in version 6.1.6 on May 4, 2023.
Patchstack published a security bulletin and Muhammad described the vulnerability as follows:
This vulnerability allows any unauthenticated user to steal sensitive information for, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path.
The vulnerability was given a high severity CVSS score of 3.1. Muhammad outlined a proof of concept in the security bulletin. At this time, the vulnerability is not known to have been exploited. ACF free and ACF Pro users should update to the latest 6.1.6 version of the plugin as soon as possible.
The vulnerability was reported to the ACF team on the 2nd May, not in February as the article states. We patched and shipped ACF 6.1.6 on the 4th May, not in April. We take security extremely seriously and the team worked hard to get the fix out in 48 hours.