May 2, 2015

XSS Vulnerability affects many popular WordPress plugins

Sucuri recently released an article identifying an XSS vulnerability found in many popular WordPress plugins. The functions were add_query_arg() and remove_query_arg() which are popular functions used by developers as a way to add and modify strings / URLs within WordPress. The documentation found within WordPress Codex was rather misleading and unclear which may have caused the dangerous use of these functions.

Some common plugins which have been affected:

  • JetPack
  • WordPress SEO
  • All In One SEO
  • Gravity Forms
  • WP E-Commerce
  • WPT0uch
  • Download Monitor
  • Related Posts
  • Ninja Forms

There are sure to be many more that are not listed as Sucuri only listed from the top 300 downloaded plugins. It is highly recommended that you ensure that your WordPress platform and plugins are updated immediately.

Some other helpful hints to reduce your risk of exposure and exploitation:

  • Updates – Keep your plugins and all software updated.
  • Access Control – Protect your WP-Admin folder. Do not over use the administrative roles on your site. Be sure to use the appropriate user role. For instance, if you are not making administrative changes, do not use the administrative role.
  • Review – Review your (All of them) security logs.