CVE-2023-30777

HIGH EXPLOITED IN THE WILD NUCLEI

Advancedcustomfields Advanced Custom Fields < 6.1.6 - XSS

Title source: rule

Description

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WP Engine Advanced Custom Fields Pro, WP Engine Advanced Custom Fields plugins <= 6.1.5 versions.

Exploits (1)

nomisec WORKING POC 8 stars

by Alucard0x1 · client-side

https://github.com/Alucard0x1/CVE-2023-30777

View Code ZIP pw:eip

Nuclei Templates (1)

Advanced Custom Fields < 6.1.6 - Cross-Site Scripting

MEDIUMVERIFIEDby r3Y3r53

References (3)

[Exploit, Third Party Advisory] https://patchstack.com/articles/reflected-xss-in-advanced-custom-fields-plugins-affecting-2-million-sites?_s_id=cve

[Third Party Advisory] https://patchstack.com/database/vulnerability/advanced-custom-fields-pro/wordpress-advanced-custom-fields-pro-plugin-6-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve

[Third Party Advisory] https://patchstack.com/database/vulnerability/advanced-custom-fields/wordpress-advanced-custom-fields-plugin-6-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve

Scores

CVSS v3 7.1

EPSS 0.8327

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Details

VulnCheck KEV 2023-05-11

InTheWild.io 2023-05-14

CWE

CWE-79

Status published

Products (1)

advancedcustomfields/advanced_custom_fields < 6.1.6 (2 CPE variants)

Published May 10, 2023

Tracked Since Feb 18, 2026