Identified in the WordPress Link functionality, previously known as ‘Bookmarks’, the issue only impacts older installations, as the capability is disabled by default on new installations.

However, the functionality might still be enabled on millions of legacy WordPress sites even if they are running newer versions of the CMS, the Wordfence team at WordPress security company Defiant says.

With a CVSS score of 8.0, the security flaw requires administrative privileges and is not easy to exploit in default configurations, but there might be plugins or themes that allow it to be triggered by users with lower privileges (such as editor-level and below), Wordfence says.