Wordfence’s Threat Intelligence crew has identified a vulnerability in a WordPress plugin installed on more than two million websites identified as All In 1 Search engine marketing Pack.

If exploited, the flaw could allow for authenticated people with contributor amount obtain or higher to inject malicious scripts which are executed when a victim accesses the wp-admin panel’s ‘all posts’ site.