April 21, 2024

WordPress plugin vulnerability puts two million websites at risk

A well-liked WordPress plugin might be placing round two million web sites susceptible to assault.

Hundreds of thousands of WordPress-powered web sites are utilizing the Superior Customized Fields and Superior Customized Fields Professional plugins, which safety researchers say have been susceptible to cross-site scripting (XSS) assaults.

The excessive severity vulnerability might have allowed a malicious hacker to inject malicious scripts, comparable to redirects, adverts, and different HTML content material into web site that will execute when customers visited the focused web site.

EmailSignal as much as our e-newsletter
Safety information, recommendation, and ideas.

Fortunately, the vulnerability was mitigated considerably by the truth that it might solely be exploited by logged-in customers who had entry to the susceptible plugin, which means {that a} non-logged-in attacker must trick somebody who was logged in with the suitable privileges to go to a malicious URL to set off an assault.

Though that’s clearly a lot better than if the assault might be initiated by anybody acessing the web site, it’s nonetheless essential that affected websites are patched promptly.

Safety researcher Rafie Muhammad discovered the XSS vulnerability three days in the past, and plugin developer WPEngine launched a patch yesterday.

Directors of WordPress web sites which might be utilizing the affected plugins ought to guarantee they’ve up to date Superior Customized Fields to model 6.1.6 or later.

Acf release notes
Superior Customized Fields plugin changelog.

I take advantage of the Superior Customized Fields right here on grahamcluley.com, so after I first heard concerning the vulnerability I realised I wanted to patch the plugin inside the WordPress admin console as rapidly as potential.

Thankfully, it turned out that Superior Customized Fields was one of many plugins that I’ve chosen to permit to automatically update.

No proof has been offered of anybody maliciously exploiting the safety gap in susceptible variations of the plugin, though in fact that doesn’t imply it hasn’t occurred.

Discovered this text attention-grabbing? Follow Graham Cluley on Twitter or Mastodon to learn extra of the unique content material we publish.


Graham Cluley is a veteran of the anti-virus business having labored for various safety corporations for the reason that early Nineteen Nineties when he wrote the primary ever model of Dr Solomon’s Anti-Virus Toolkit for Home windows. Now an impartial safety analyst, he frequently makes media appearances and is a global public speaker on the subject of pc safety, hackers, and on-line privateness.
Comply with him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an electronic mail.