A popular WordPress plugin could be putting around two million websites at risk of attack.
Millions of WordPress-powered websites are using the Advanced Custom Fields and Advanced Custom Fields Pro plugins, which security researchers say have been vulnerable to cross-site scripting (XSS) attacks.
The high severity vulnerability could have allowed a malicious hacker to inject malicious scripts, such as redirects, adverts, and other HTML content into website that would execute when users visited the targeted website.
Thankfully, the vulnerability was mitigated somewhat by the fact that it could only be exploited by logged-in users who had access to the vulnerable plugin, meaning that a non-logged-in attacker would have to trick someone who was logged in with the appropriate privileges to visit a malicious URL to trigger an attack.
Although that is clearly much better than if the attack could be initiated by anyone acessing the website, it’s still important that affected sites are patched promptly.
Security researcher Rafie Muhammad discovered the XSS vulnerability three days ago, and plugin developer WPEngine released a patch yesterday.
Administrators of WordPress websites that are using the affected plugins should ensure they have updated Advanced Custom Fields to version 6.1.6 or later.
I use the Advanced Custom Fields here on grahamcluley.com, so when I first heard about the vulnerability I realised I needed to patch the plugin within the WordPress admin console as quickly as possible.
Fortunately, it turned out that Advanced Custom Fields was one of the plugins that I have chosen to allow to automatically update.
No evidence has been presented of anyone maliciously exploiting the security hole in vulnerable versions of the plugin, although of course that doesn’t mean it hasn’t happened.