Threat actors on Wednesday launched a massive hacking campaign targeting WordPress websites that use the Yuzo Related Posts plugin, a recently discontinued plugin that is vulnerable to a cross-site scripting (XSS) attack. The flaw allows attackers to inject malicious code into legitimate websites that will cause users to get redirected to malicious websites.

The discontinued plugin has been installed on more than 60,000 websites. Even though the flaw was originally discovered by a security researcher and not by a hacker, the researcher did not notify the plugin’s author, and instead published proof-of-concept code of the attack online. One of the many victims of the attack was Mailgun, an automated service for sending, receiving, and tracking emails.

Read more: Mailgun hacked part of massive attack on WordPress sites