A popular WordPress plugin could expose nearly 2 million websites to attack.

Millions of WordPress-powered websites use the Advanced Custom Fields and Advanced Custom Fields Pro plugins, which are vulnerable to cross-site scripting (XSS) attacks, security researchers say. increase.

High-severity vulnerabilities could allow malicious hackers to inject malicious scripts, such as redirects, advertisements, or other HTML content into websites, which would execute when a user visits the targeted website had.

e-mailsign up for newsletter
Security news, advice and tips.

Thankfully, this vulnerability was mitigated somewhat by the fact that it could only be exploited by logged-in users with access to the vulnerable plugin. Permission to access malicious URLs to trigger attacks.

It’s much better than if anyone could visit your website and launch an attack, but it’s important to patch affected sites quickly.

Security Researcher Rafie Muhammad Found XSS vulnerability Three days ago, plugin developer WPEngine released a patch yesterday.

Administrators of WordPress websites using the affected plugins should ensure they have updated Advanced Custom Fields to version 6.1.6 or later.

Acf release notes
Changelog for the Advanced Custom Fields plugin.

I use Advanced Custom Fields here at grahamcluley.com, so when I first heard about the vulnerability, I knew I needed to patch the plugin as soon as possible within the WordPress admin console.

Luckily Advanced Custom Fields turned out to be one of the plugins I chose to allow. Automatic updating.

No evidence has been shown that a security hole in the vulnerable version of the plugin was maliciously exploited, but that doesn’t mean it hasn’t happened, of course.

Did you find this article interesting? Follow Graham Cluley on Twitter again Mastodon To read more about the exclusive content we post.

Graham Cluley is a veteran of the antivirus industry and has worked for many security companies since the early 1990s when he created the first version of Dr. Solomon’s Antivirus Toolkit for Windows. He is now an independent security he is an analyst, makes regular media appearances and gives international lectures on computer he security, hackers and online he privacy. Follow him on Twitter. @gcluleyfor Mastodon @[email protected]or drop him an email.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog