You might have heard in the last few days about the XSS vulnerability that affected WordPress plugins and also WordPress themes. Many authors of plugins and themes have already updated their WordPress plugins and WordPress themes to avoid security and vulnerabilities issues.
If you have a WordPress theme with WordPress plugins setup on it, then you should check right away for updates and update to the latest version of the theme or plugin you’re using. The chances are very high that you are using a plugin that is affected as some of the most popular plugins happen to have used the functions that can lead to the cross site scripting vulnerability.
Here is a partial list of WordPress plugins that have been effected:
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Various iThemes products
- Ninja Forms
- Aesop Story Engine
How could this happen to such well known plugins developed by experienced and professional developers of most trusted products, you might be wondering? Well, this is all caused by the fact the the functions “add_query_arg()” and “remove_query_arg()” were thought to be secure. The documentation in the WordPress codex wasn’t quite specific about the security of these functions.
What needs to be done is to pass the result of this functions through esc_url() function before the HTML page is processed. Developers know of this problem and are updating their plugins and themes to reflect this important security flaw. If you need some guidelines to check your plugin or theme for this issue or need help on how to fix it, then head over to the WordPress.org developer page for the function and check the note on esc_url() function.
The risk for this exploit to effect your WordPress website is considered minimal. But still it might affect your website under certain circumstances. Be sure to check your plugins and themes and update them as soon as possible to avoid any bugs resulting from this exploit in the future.