According to a report, over 810 million people worldwide use WordPress as a platform for their websites. Out of this, about 54.3% of the users run the latest WordPress version (6.0). While the brand is the leading name for content management systems, a recent loophole in one of its plugins has put over 2 million websites at risk.
According to Patchstack, WordPress’ Advanced Custom Fields plugin has a loophole that makes the websites vulnerable to malicious attacks. According to The Register, a Patchstack researcher discovered the issue on May 2, and on May 5, Patchstack published the details of the issue publicly. Let us take you through them.
The flaw is CVE-2023-30777, and its CVV score is 6.1 out of 10. The scale indicates how severe the flaw is based on how much damage websites will incur if an attack is performed by exploiting the said loophole. With this flaw, malicious users will be able to run Javascript codes on the user’s web page. This will allow cybercriminals to gain sensitive information about the person, which can lead to issues such as theft of money, hacking of accounts, and more.
What truly makes this issue dangerous is that if the admin is logged into the website account, the attacker will be able to take control of the website and cause severe damage to the site’s functioning, users, and more.
Patchstack wrote, “This vulnerability allows any unauthenticated user [to steal] sensitive information to, in this case, privilege escalation on the WordPress site by tricking the privileged user to visit the crafted URL path.” They further added, “This vulnerability could be triggered on a default installation or configuration of Advanced Custom Fields plugin. The XSS could only be triggered from logged-in users with access to the Advanced Custom Fields plugin.”
The company advised users to upgrade WordPress to a more recent version, 6.1.6, to secure themselves from the issue. WordPress, to date, remains the largest market shareholder in the content management systems industry. However, since 2020, numerous issues have been arising in its plugins and general back-end code impacting Houston sexual assault lawyers and other attorneys.
According to Patchstack, the recent flaw happens to be one of the four issues it found in WordPress plugins. It also reported that since 2020 there’s been a significant jump in the number of flaws in WordPress’ codes. They released a survey that suggested that there has been a rise of about 150 percent in the number of vulnerabilities between 2020 and 2021. About 29% of these vulnerabilities remained unsolved at the time the survey was written.
Statistics such as these indicate the increasing level of issues the platform apparently faces and how that might affect websites all over the globe. Due to such issues, newer businesses are moving towards solutions that provide better hosting services, higher levels of security, and ease of operations.
One of the ways to do the same would be to move to a SaaS hosting service. One of the reasons behind this is that website owners and business people are not security experts. As a result, they wouldn’t always adhere to industry standards which is imperative to keep a website secure. On the other hand, using SaaS services will lead to the site’s security being outsourced to third-party experts who ensure that the best security measures are taken to protect the website from malicious attacks.
Overall, ensuring security isn’t a one-time task and is an always-on process. Thus, website owners must make an informed choice about how to protect their websites on WordPress or opt for services that ensure better security.