A serious security vulnerability has been discovered in the Advanced Custom Fields plugin, a popular tool for the WordPress website builder. With over two million active installs, the plugin allowed threat actors to exploit a flaw and potentially steal sensitive data from website visitors or even take complete control of the website.
The Advanced Custom Fields plugin, along with its Pro version, provides website administrators with enhanced control over content and data management. However, the plugin was found to be susceptible to a cross-site scripting (XSS) attack, which enables attackers to inject malicious code into vulnerable websites. When visitors access the compromised website, the injected code executes in their browsers, allowing the attackers to extract sensitive information. In some cases, if the visitor happens to be the site’s administrator, the attacker can also gain access to their data, ultimately leading to a complete takeover of the website.
