WordPress plugin vulnerability puts two million websites at risk

WordPress plugin vulnerability puts two million websites at risk

A popular WordPress plugin could be putting around two million websites at risk of attack.

Millions of WordPress-powered websites are using the Advanced Custom Fields and Advanced Custom Fields Pro plugins, which security researchers say have been vulnerable to cross-site scripting (XSS) attacks.

The high severity vulnerability could have allowed a malicious hacker to inject malicious scripts, such as redirects, adverts, and other HTML content into website that would execute when users visited the targeted website.

Sign up to our free newsletter.
Security news, advice, and tips.

Thankfully, the vulnerability was mitigated somewhat by the fact that it could only be exploited by logged-in users who had access to the vulnerable plugin, meaning that a non-logged-in attacker would have to trick someone who was logged in with the appropriate privileges to visit a malicious URL to trigger an attack.

Although that is clearly much better than if the attack could be initiated by anyone acessing the website, it’s still important that affected sites are patched promptly.

Security researcher Rafie Muhammad discovered the XSS vulnerability three days ago, and plugin developer WPEngine released a patch yesterday.

Administrators of WordPress websites that are using the affected plugins should ensure they have updated Advanced Custom Fields to version 6.1.6 or later.

Acf release notes
Advanced Custom Fields plugin changelog.

I use the Advanced Custom Fields here on grahamcluley.com, so when I first heard about the vulnerability I realised I needed to patch the plugin within the WordPress admin console as quickly as possible.

Fortunately, it turned out that Advanced Custom Fields was one of the plugins that I have chosen to allow to automatically update.

No evidence has been presented of anyone maliciously exploiting the security hole in vulnerable versions of the plugin, although of course that doesn’t mean it hasn’t happened.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.