Thousands of websites are at risk of being exploited by a previously undisclosed vulnerability in a WordPress plugin, which researchers say could be used to inject malicious code into websites.
The flaw exists in Fancybox, a popular image displaying tool, through which Sucuri researchers say malware or any other script can be added to a vulnerable site.
"We can confirm that this plugin has a serious vulnerability," the researchers wrote. "It's being actively exploited in the wild, leading to many compromised websites," the researchers wrote.
WordPress, which comes in two main flavors -- a hosted version and a downloadable self-hosting version -- has already removed the plugin from its repository. But researchers warn that with more than half-a-million users of the plugin at risk, users should remove the plugin from their own sites.
It's not clear how many websites are being actively exploited by the flaw, however.
WordPress remains one of the most popular blogging platforms on the web. It's used by more than 23 percent of the top 10 million websites, recent statistics show.