For the past week, security firm Sucuri has worked with the WordPress core security team to address a cross site scripting vulnerability discovered in more than a dozen popular WordPress plugins. The vulnerability stems from the improper use of the add_query_arg() and remove_query_arg() functions. Inaccurate information within the WordPress Codex lead many developers to assume these functions would properly escape user input.
Sucuri worked with Yoast and discovered the problem affects a lot more plugins than just WordPress SEO. Sucuri has audited the top 300-400 plugins in the directory and found at least 15 plugins to contain vulnerable code.
Jetpack
WordPress SEO
Google Analytics
All In one SEO
Gravity Forms
Multiple Plugins from Easy Digital Downloads
UpdraftPlus
WP e-Commerce
WPTouch
Download Monitor
P3 Profiler
Give
iThemes Exchange
Broken-Link-Checker
Ninja Forms
Aesop Story Engine
My Calendar
So far, there is no evidence that suggests the vulnerability is being actively exploited. It’s extremely important that plugin authors revisit your code to make sure you’re not improperly using the add_query_arg() and remove_query_arg() functions. The Make WordPress Plugins site has a post that provides in-depth information on how to check and fix your plugins.
Automatic Updater
To date, this is the largest coordinated effort between an outside party, the WordPress core and security teams, and plugin developers. According to Sucuri, affected plugin developers banded together for the common good. Related auto updates only contain code needed to fix the security vulnerability. This should limit the possibility of auto updates breaking sites.
The plugins listed above have already been patched and updates should be available to all users. Browse to Dashboard – Updates to check for and install any available updates.
