WordPress plugin vulnerability puts two million websites at risk

WordPress plugin vulnerability puts two million websites at risk

A popular WordPress plugin could be putting around two million websites at risk of attack.

Millions of WordPress-powered websites are using the Advanced Custom Fields and Advanced Custom Fields Pro plugins, which security researchers say have been vulnerable to cross-site scripting (XSS) attacks.

The high severity vulnerability could have allowed a malicious hacker to inject malicious scripts, such as redirects, adverts, and other HTML content into website that would execute when users visited the targeted website.

Sign up to our free newsletter.
Security news, advice, and tips.

Thankfully, the vulnerability was mitigated somewhat by the fact that it could only be exploited by logged-in users who had access to the vulnerable plugin, meaning that a non-logged-in attacker would have to trick someone who was logged in with the appropriate privileges to visit a malicious URL to trigger an attack.

Although that is clearly much better than if the attack could be initiated by anyone acessing the website, it’s still important that affected sites are patched promptly.

Security researcher Rafie Muhammad discovered the XSS vulnerability three days ago, and plugin developer WPEngine released a patch yesterday.

Administrators of WordPress websites that are using the affected plugins should ensure they have updated Advanced Custom Fields to version 6.1.6 or later.

Acf release notes
Advanced Custom Fields plugin changelog.

I use the Advanced Custom Fields here on grahamcluley.com, so when I first heard about the vulnerability I realised I needed to patch the plugin within the WordPress admin console as quickly as possible.

Fortunately, it turned out that Advanced Custom Fields was one of the plugins that I have chosen to allow to automatically update.

No evidence has been presented of anyone maliciously exploiting the security hole in vulnerable versions of the plugin, although of course that doesn’t mean it hasn’t happened.

Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.


Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.