Security News > 2023 > May > WordPress plugin hole puts '2 million websites' at risk

WordPress users with the Advanced Custom Fields plugin on their website should upgrade after the discovery of a vulnerability in the code that could open up sites and their visitors to cross-site scripting attacks.

Because of the hundreds of millions of sites that use it, WordPress also has become a popular target of miscreants that want to exploit any flaws in the system - it's where the money is.

According to a Patchstack survey, there was a 150 percent increase in the number of WordPress vulnerabilities reported between 2020 and 2021, and 29 percent of plugins with critical vulnerabilities at the time remained unpatched.

"Because many of the plugins available for WordPress sites are developed by the community, they may not be regularly audited and maintained," Bischoping told The Register.

"The plugins themselves may contain security vulnerabilities and it is also easy to misconfigure permissions or plugin settings, exposing additional opportunities for exploit."

Casey Ellis, founder and CTO at security crowdsourcer Bugcrowd, told The Register that anyone whose WordPress site is hacked should migrate it to a SaaS host, where the security maintenance is outsourced to a third party and a web application firewall can be put up in front of the site.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/05/08/wordpress_plugin_vulnerability/