Advanced Custom Fields plugin is urging users to update to version 6.1.6 after a security flaw was discovered. The flaw, CVE-2023-30777, is a reflected cross-site scripting (XSS) that could be used to inject arbitrary executable scripts into websites. The plugin is available for free and has over two million active installations. The issue was discovered on May 2, 2023. "This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path," Patchstack researcher Rafie Muhammad said. Reflected XSS attacks usually happen when victims are tricked into clicking on a link that sends malicious code to the website, which reflects the attack back to the user's browser. This type of social engineering means that reflected XSS does not have the same reach and scale as stored XSS attacks. "[A reflected XSS attack] is typically a result of incoming requests not being sufficiently sanitized, which allows for the manipulation of a web application's functions and the activation of malicious scripts," Imperva notes.