Hundreds of thousands of websites running a popular WordPress plugin are at risk of hacks that give attackers full administrative control, a security firm warned Thursday.

The vulnerability affects Custom Contacts Form, a plugin with more than 621,000 downloads, according to a blog post by researchers from Sucuri. It allows attackers to take unauthorized control of vulnerable websites. It stems from a bug affecting a function known as adminInit(). Hackers can exploit it to create new administrative users or modify database contents.

“The vulnerability was disclosed to the plugin developer a few weeks ago, they were unresponsive,” Sucuri researcher Marc-Alexandre Montpas wrote. “The developers were unresponsive so we engaged the WordPress Security team. They were able to close the loops with the developer and get a patch released, you might have missed it.”

He also wrote that WordPress-powered sites that rely on the plugin should consider switching to a different plugin, such as JetPack and Gravity Forms. The vulnerability affects all versions of the Custom Contacts Form plugin other than the latest,