According to a recent report by Akamai, threat actors are actively looking to exploit a critical vulnerability found in a WordPress plugin, some 24 hours after proof-of-concept code was released to the public at large.
The saga was summarized by Akamai researchers as follows,
A recent example of this was exhibited earlier this month with a critical vulnerability affecting a WordPress custom field plugin. Within a number of hours following the company’s announcement of the vulnerability and the associated patch, we saw increased XSS activity. One, in particular, stood out: the PoC [proof-of-concept] query itself.
The vulnerability discovered in the popular WordPress Advanced Custom Fields plugin was initially discovered in May 2023 and given the designation CVE-2023-30777. The vulnerability was given a severity score of 7.1, which means it is fairly serious.
The exploitation of this vulnerability can result in the attacker performing a reflected cross-site scripting (XSS) attack. This allows the threat actor to push those illegitimate scripts to visitors of that affected site. This manipulation is essentially blind to the site owner, making these threats even more dangerous.
XSS attacks are a type of injection attack where malicious code is injected into a web app, typically on the client side or browser side, to the end user, making the attack blind to the site owner, as alluded to above.
In previous attacks, it was seen that a malicious script could access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
As the Custom Fields plugin is estimated to have some 2 million users, when the vulnerability was made public, it almost instantly made headlines. A WordPress-focused security firm PatchStack then published a detailed report on the vulnerability, further noting,
This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking privileged users to visit the crafted URL path.
It is important to note that an official patch for the vulnerability has been released, and it is strongly advised that if your WordPress site makes use of the above-mentioned plugin, it is important to update as a matter of priority.
This should be seen as even more of a priority that the report by PatchStack included proof-of-concept code. Traditionally, once proof-of-concept code is publicly available; threat actors begin to scan for vulnerable devices or, in this case, vulnerable unpatched sites.
In one instance seen by Akamai researchers, the threat actor used exactly the publically released code. For this reason, Akamai researchers stated,
Patch management is a critical part of an organization’s security and risk-reduction strategy. As was demonstrated here, the rate of exploitation of emerging and recently disclosed vulnerabilities remains high — and is getting faster. Attackers often exploit trends within the first 24 to 48 hours of public announcement, leaving practically no time for proper mitigations to be applied, even in the most robust security ecosystems.
Disclosure of Vulnerabilities
Some might ask then, if disclosing vulnerabilities often results in an increase in threat actors attempting to exploit vulnerabilities, more so when proof-of-concept code is released, why disclose in the first place?
Simply put, over the years, it has proven best practice to allow security researchers to discover vulnerabilities in either software or hardware so as to allow for those companies responsible for developing security patches within a reasonable time frame.
It is best practice for security researchers to disclose vulnerabilities to the manufacturer or developer first before disclosing them to the public so that a patch can be developed.
In some cases, the vulnerability has been ignored by the manufacturer or developer, forcing the security researcher to go public with the information, which then gives the public a chance to apply other mitigation strategies so as to try to prevent exploitation. This is often a public relations disaster for the manufacturer or developer.
Coordinated disclosures, namely those involving both the researcher and manufacturer to remain in communication and establish a timeline to remedy the vulnerability, are seen by the tech industry at large as the best possible solution.
However, this only really applies to vulnerabilities discovered by non-malicious threat actors, who often receive a bug bounty for their troubles. The worst kind of vulnerability is those discovered by threat actors not interested in collecting the bounty.
These are commonly referred to as zero-day vulnerabilities, and no patch is ready once they are disclosed to the public. These can often be exploited by threat actors with little chance of detection and are anyone in charge of network security’s nightmare scenario.
These typically are headline-grabbing vulnerabilities but not as common as disclosed vulnerabilities that require users to patch their applications making for far less exciting headlines but helping create best security practices.