A popular WordPress plugin could be putting around two million websites at risk of attack.

According to security researchers, two million WordPress websites could be at risk of attack due to a vulnerability found in a popular WordPress plugin. The plugin in question is the Advanced Custom Fields and Advanced Custom Fields Pro plugins, which have been found to be vulnerable to cross-site scripting (XSS) attacks. This vulnerability is considered to be of high severity and could allow a malicious hacker to inject harmful scripts into a website. These scripts could include redirects, adverts, and other HTML content, which would execute when users visited the targeted website.

The good news is that the vulnerability can only be exploited by logged-in users who have access to the vulnerable plugin. This means that non-logged-in attackers would have to trick someone with the appropriate privileges to visit a malicious URL to trigger an attack. However, it is still important that affected sites are patched promptly to ensure they are protected.

Advanced Custom Fields WordPress

Security researcher Rafie Muhammad discovered the XSS vulnerability three days ago, and plugin developer WPEngine released a patch yesterday. Administrators of WordPress websites using the affected plugins should update Advanced Custom Fields to version 6.1.6 or later to prevent potential attacks.

As a precautionary measure, website administrators are advised to patch the plugin as soon as possible. This is particularly important as the vulnerability has not yet been exploited, although there is always a possibility that it could be. In fact, Graham Cluley, an IT and security expert who runs a website using the plugin, has already taken steps to update his site’s plugin to the latest version.

Fortunately, updating the plugin is a straightforward process that can be done via the WordPress admin console. It is also advisable to enable automatic updates for plugins to ensure that they are always up to date with the latest security patches.