XSS Vulnerability Affecting Multiple WordPress Plugins
As you’re no doubt well aware, security is one of our top priorities here at Pressidium. Our platform is built to be as secure as possible for our customers, however there are always areas that are out of our control.
One such area is the use of WordPress Plugins and the practice of keeping them up to date. It’s come to our attention through research carried out by Joost from Yoast, into some of the most popular WordPress plugins, that they may be vulnerable to Cross-site scripting (XSS).
In an article by Sucuri, they explain these vulnerabilities have come about from the misuse of the add_query_arg() and remove_query_arg() functions.
"The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not." - Sucuri Blog.
A list of some of the most popular plugins affected by this vulnerability include:
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Multiple iThemes products including Builder and Exchange
- Ninja Forms
Action To Take
Due to these vulnerabilities as well as many other plugins affected which are not on the above list, we are urging all of our customers to visit their WordPress dashboard and update all available plugins as soon as possible. After the discovery of this issue, many of the developers involved with the above list, have already issued patch updates for their plugins.
To coincide with this, we have also sent emails out to all of our customers to remind you. It’s incredibly important that you keep your plugins updated to their most recent versions, so please, make sure your websites are updated, secure and safe.