Skip to content

WordPress plugin vulnerability puts two million websites at risk • Graham Cluley

A recent security vulnerability in the popular WordPress plugin, Advanced Custom Fields, has put around two million websites at risk. The vulnerability was discovered by security researcher Rafie Muhammad and could allow malicious hackers to inject harmful scripts into websites, which would execute when users visited the targeted website. The vulnerability could only be exploited by logged-in users with access to the vulnerable plugin, but it is still important that affected sites are promptly patched. Plugin developer WPEngine has released a patch that administrators of WordPress websites using the affected plugins should ensure they have updated to version 6.1.6 or later.

Fortunately, no evidence has been presented of anyone exploiting the security hole in vulnerable versions of the plugin, but it is always better to be safe than sorry. Security researcher Rafie Muhammad discovered the XSS vulnerability three days ago, and plugin developer WPEngine released a patch yesterday. It is important to note that Advanced Custom Fields is a widely-used plugin, and many websites rely on it. Therefore, it is crucial to ensure that the affected sites are patched promptly to avoid any security breaches.

Graham Cluley, an independent security analyst, uses the Advanced Custom Fields plugin on his website and was able to patch the plugin within the WordPress admin console immediately. Cluley is known for his expertise in the computer security industry and has worked with various security companies since the early 1990s. He regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

In conclusion, the Advanced Custom Fields vulnerability is a serious concern for the millions of WordPress-powered websites that are using the plugin. The vulnerability could allow malicious hackers to inject harmful scripts into websites, putting users at risk. Fortunately, a patch has been released, and administrators of WordPress websites should ensure they have updated the plugin to version 6.1.6 or later. It is essential to take security seriously and to take prompt action to patch vulnerabilities as they are discovered.

Leave a Reply

Your email address will not be published. Required fields are marked *