If you use the “Advanced Custom Fields” plugin on your Wordpress site, it might be time for an upgrade.

In early May, a vulnerability in the code of the aforementioned plugin could open you up to cross-site scripting (XSS) attacks. According to researcher Rafie Muhammad at Patchstack, the plugin is currently being used by over two million users. The Advanced Custom Fields plugin is intended to give users better control over their content and data.

Those who use the plugin have been strongly encouraged to update to at least version 6.1.6 of the plugin.

The flaw, (which has a CVSS score of 6.1 out of 10 in severity), leaves sites vulnerable to reflected XSS attacks. Malicious code is injected into webpages using the plugins, which is then reflected back and executed in the browsers of page visitors.

Simply put, the exploit allows someone to run JavaScript within another person’s view of the page. This allows hackers to steal information and perform actions as the user.

“This vulnerability allows any unauthenticated user [to steal] sensitive information to, in this case, privilege escalation on the WordPress site by tricking the privileged user to visit the crafted URL path,” Patchstack’s report said.

They continued, “this vulnerability could be triggered on a default installation or configuration of Advanced Custom Fields plugin. This XSS also could only be triggered from logged-in users that have access to the Advanced Custom Fields plugin.”

According to Patchstack, the XSS vulnerability was one of four found in the plugin over that last few years.

Story via The Register