The Advanced Custom Fields WordPress plugin has a vulnerability that is leaving more than 2 million websites vulnerable.

According to a report by Patchstack, both the free and pro versions of the Advanced Custom Fields plugin have a reflected XSS vulnerability. The vulnerability opens the door to sensitive information being stolen:

This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking privileged user to visit the crafted URL path.

The company says updating to version 6.1.6 or later should protect websites:

The plugin Advanced Custom Fields and Advanced Custom Fields Pro (versions 6.1.5 and below, free and pro version), which has over 2 million active installations are known as the most popular custom fields plugins in WordPress.

Admins should make sure they’re running the latest version as soon as possible.