CVE-2023-30777: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in WP Engine Advanced Custom Fields Pro and Advanced Custom Fields plugins versions 6.1.5 and below, affecting over 2 million active installations. The vulnerability, identified as CVE-2023-30777, was discovered by Rafie Muhammad from Patchstack and was fixed in version 6.1.6 (Patchstack Article, WPScan).

The vulnerability stems from improper sanitization in the adminbodyclass function handler. The adminbodyclass hook's output value is not properly sanitized and is directly constructed on the HTML page. The issue arises when the $this->view variable from the currentscreen function can be manipulated, as the sanitizetextfield function's sanitization is insufficient to prevent XSS attacks. The vulnerability has been assigned a CVSS score of 7.1 (High) ([Patchstack Article](https://patchstack.com/articles/reflected-xss-in-advanced-custom-fields-plugins-affecting-2-million-sites?s_id=cve)).

This vulnerability could allow malicious actors to inject harmful scripts, including redirects, advertisements, and other HTML payloads into a website, which would then be executed when guests visit the site. The vulnerability could only be triggered by logged-in users with access to the Advanced Custom Fields plugin features (Security Online).

The vulnerability was patched in version 6.1.6 by implementing the escattr function to properly sanitize the output. Users are strongly advised to update to version 6.1.6 or later to resolve the vulnerability. The security fix was also backported to version 5.12.6 for users of older versions ([Patchstack Article](https://patchstack.com/articles/reflected-xss-in-advanced-custom-fields-plugins-affecting-2-million-sites?s_id=cve)).