CVE-2023-30777

HIGH EXPLOITED IN THE WILD NUCLEI

Advanced Custom Fields Pro and Advanced Custom Fields <= 6.1.5 - Unauthenticated Reflected Cross-Site Scripting

Title source: llm

Exploitation Summary

CVE-2023-30777 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 1 public exploit from researchers including Alucard0x1. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a Python script that generates a PoC URL for a reflected XSS vulnerability in the Advanced Custom Fields WordPress plugin. The script constructs a malicious URL with an XSS payload in the 'post_status' parameter.

Description

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WP Engine Advanced Custom Fields Pro, WP Engine Advanced Custom Fields plugins <= 6.1.5 versions.

Exploits (1)

nomisec WORKING POC 8 stars

by Alucard0x1 · client-side

https://github.com/Alucard0x1/CVE-2023-30777

View Code ZIP pw:eip

This repository contains a Python script that generates a PoC URL for a reflected XSS vulnerability in the Advanced Custom Fields WordPress plugin. The script constructs a malicious URL with an XSS payload in the 'post_status' parameter.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Advanced Custom Fields WordPress plugin

Auth required

Prerequisites: Access to a vulnerable WordPress site with the Advanced Custom Fields plugin installed · Valid authentication credentials for the WordPress admin panel

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Advanced Custom Fields < 6.1.6 - Cross-Site Scripting

MEDIUMVERIFIEDby r3Y3r53

References (3)

Core 3

Core References

Third Party Advisory vdb-entry

https://patchstack.com/database/vulnerability/advanced-custom-fields-pro/wordpress-advanced-custom-fields-pro-plugin-6-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve

Third Party Advisory vdb-entry

https://patchstack.com/database/vulnerability/advanced-custom-fields/wordpress-advanced-custom-fields-plugin-6-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve

Exploit, Third Party Advisory technical-description

https://patchstack.com/articles/reflected-xss-in-advanced-custom-fields-plugins-affecting-2-million-sites?_s_id=cve

Scores

CVSS v3 7.1

EPSS 0.3877

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

VulnCheck KEV 2023-05-11

InTheWild.io 2023-05-14

CWE

CWE-79

Status published

Products (3)

advancedcustomfields/advanced_custom_fields < 6.1.6 (2 CPE variants)

WP Engine/Advanced Custom Fields < 6.1.5

WP Engine/Advanced Custom Fields Pro < 6.1.5

Published May 10, 2023

Tracked Since Feb 18, 2026