A popular WordPress plugin could expose nearly 2 million websites to attack.
Millions of WordPress-powered websites use the Advanced Custom Fields and Advanced Custom Fields Pro plugins, which are vulnerable to cross-site scripting (XSS) attacks, security researchers say. increase.
High-severity vulnerabilities could allow malicious hackers to inject malicious scripts, such as redirects, advertisements, or other HTML content into websites, which would execute when a user visits the targeted website had.
sign up for newsletterSecurity news, advice and tips.
Thankfully, this vulnerability was mitigated somewhat by the fact that it could only be exploited by logged-in users with access to the vulnerable plugin. Permission to access malicious URLs to trigger attacks.
It’s much better than if anyone could visit your website and launch an attack, but it’s important to patch affected sites quickly.
Security Researcher Rafie Muhammad Found XSS vulnerability Three days ago, plugin developer WPEngine released a patch yesterday.
Administrators of WordPress websites using the affected plugins should ensure they have updated Advanced Custom Fields to version 6.1.6 or later.
I use Advanced Custom Fields here at grahamcluley.com, so when I first heard about the vulnerability, I knew I needed to patch the plugin as soon as possible within the WordPress admin console.
Luckily Advanced Custom Fields turned out to be one of the plugins I chose to allow. Automatic updating.
No evidence has been shown that a security hole in the vulnerable version of the plugin was maliciously exploited, but that doesn’t mean it hasn’t happened, of course.
Did you find this article interesting? Follow Graham Cluley on Twitter again Mastodon To read more about the exclusive content we post.
