Security researchers warn that the ‘Advanced Custom Fields’ and ‘Advanced Custom Fields Pro’ WordPress plugins, with millions of installs, are vulnerable to cross-site scripting attacks (XSS).