A WordPress custom field plugin flaw makes over 1 million websites vulnerable to XSS assaults.

The ‘Advanced Custom Fields’ and ‘Advanced Custom Fields Pro’ WordPress plugins, which have millions of installations, are vulnerable to cross-site scripting attacks (XSS), according to security researchers.

According to the researcher at Patchstack, XSS issues typically enable attackers to insert malicious scripts on public websites, which causes the visitor’s web browser to execute malware.

An unauthenticated attacker may be able to elevate their privileges on a vulnerable WordPress site and steal sensitive data thanks to the XSS bug

It is recommended that all Advanced Custom Fields and Advanced Custom Fields Pro users update as soon as possible to version 6.1.6 or later.