The AFI plugin for WordPress has a security issue that allows hackers to inject harmful code into certain pages. This can only happen on websites that have multiple sites or have a certain setting disabled. This vulnerability has been fixed in version 1.99.0 and above.