A security researcher says he has discovered a severe cross-site scripting (XSS) flaw in code used by the drag-and-drop website builder Wix that could lead to a worm affecting websites created by users of the DIY website platform.

The vulnerability, discovered by Contrast Security senior software engineer Matt Austin, could prompt websites created by Wix's 87 million registered users to deliver a JavaScript payload. “Simply by adding a single parameter to any site created on Wix, the attacker can cause their JavaScript to be loaded and run as part of the target website,” Austin wrote on the company's Security Influencers blog.

Attackers could exploit the vulnerability to create worms that are able to gain administrator level access to accounts. Wix patched the vulnerability on Wednesday between 3:00 to 6:00 PM EST and created a bug bounty program as a result of the incident, Austin added.