XSS Attack WordPress

A XSS attack in the “Advanced Custom Fields” WordPress plugin allows an attacker to inject JavaScript in the WordPress backend and into the website. While posting a new post an attacker can create a custom field and fill it with HTML or JavaScript that is executed as soon as anyone views the post. The malicious code could lead to leaking sensitive data such as Session IDs to the attacker. The vulnerability was reported as CVE-2018-17557.


We discovered a security issue in the plugin „Advanced Custom Fields” for WordPress. It is possible to inject JavaScript code into the website as well as into the WordPress backend due to a lack of sufficient input filtering. This is possible as an author, whose role permissions usually do not allow injecting JavaScript code in the website. An attacker can inject malicious code that will later be executed by legitimate users who open the website or backend function. The attacker can now perform unauthorized actions in the application on behalf of legitimate users or spread malware via the application.


Steps to Reproduce

A post made by an attacker can contain a custom field with JavaScript Code. The code is not filtered but executed whenever the post is visible to a visitor.

The following pictures show how we are able to exploit the vulnerability.

Root Cause

This issue exists due to insufficient input filtering. In order to mitigate the issue we recommend applying input filtering to all input fields and URL parameters in the entire plugin to ensure that only valid input is processed (this means input filtering for the fields as well as for the field values).



The issue was fixed by Elliot Condon in release 5.7.8.



Credit for finding and reporting the issue:

Patrick Schmitt

Jonas Becker