Almost 2 million WordPress sites at risk due to ACF plugin vulnerability

ACF Vulnerability
A vulnerability in “Advanced Custom Fields” exposes almost 2 million WordPress sites to cross-site scripting (XSS) attacks.

A critical security flaw has been discovered in the popular WordPress ACF plugin, exposing over a million websites to malicious Cross-site Scripting (XSS) code injection attacks. Our WordPress support team summarises the technical details of this vulnerability and provides advice on how to secure affected websites.

The update for the Advanced Custom Fields (ACF) plugin is available in the WordPress extensions catalogue.

Vulnerable WordPress plugin: ACF (Advanced Custom Fields)

The vulnerability affects the Advanced Custom Fields (ACF) plugin, which allows website developers to create and manage custom fields for their sites. ACF is widely used by theme and plugin developers, as well as WordPress site administrators.

Details of the security flaw

The security flaw in ACF lies in the way the plugin handles incoming data when editing a custom field. An attacker can exploit this vulnerability by inserting a malicious script into the custom field, which is then executed when the site is visited by users. XSS attacks can be used to steal sensitive information, such as login credentials and personal data from site visitors.

According to the Wordfence security team, which discovered the flaw, exploiting this vulnerability is relatively simple and does not require advanced technical skills. Attackers can take advantage of the lack of filtering and validation of incoming data to inject malicious JavaScript code into custom fields.

Impact of vulnerability

The number of websites affected by this security flaw is estimated at almost two million! This makes it one of the largest security vulnerabilities ever discovered in a WordPress plugin. Vulnerable websites include blogs, e-commerce sites, news portals and other types of websites.

Solutions and protection measures following the ACF plugin security breach

The developers of ACF have released a security update to resolve this vulnerability. It is essential that website administrators using the ACF plugin apply this update immediately to protect their sites against XSS attacks.

In addition, website administrators should take the following steps to strengthen the security of their sites:

  1. Hire a WordPress CMS professional, like Sumobaby, to regularly update all plugins, themes, and the WordPress core.
  2. Use security plugins to monitor and protect their site against attacks and vulnerabilities.
  3. Set up automatic site backups to facilitate recovery in the event of a successful attack.


The discovery of this security flaw in the ACF plugin highlights the importance of keeping website security components up to date. Website administrators should take immediate action to apply updates to the ACF plugin.

If a WordPress site owner has fallen victim to this flaw in the ACF plugin, here are the steps to follow to resolve the problem and secure the site.

get in touch now

No Comments

Post a Comment