For the past week, security firm Sucuri has worked with the WordPress core security team to address a cross site scripting vulnerability discovered in more than a dozen popular WordPress plugins. The vulnerability stems from the improper use of the add_query_arg() and remove_query_arg() functions. Inaccurate information within the WordPress Codex lead many developers to assume these functions would properly escape user input.
Sucuri worked with Yoast and discovered the problem affects a lot more plugins than just WordPress SEO. Sucuri has audited the top 300-400 plugins in the directory and found at least 15 plugins to contain vulnerable code.
All In one SEO
Multiple Plugins from Easy Digital Downloads
Aesop Story Engine
So far, there is no evidence that suggests the vulnerability is being actively exploited. It’s extremely important that plugin authors revisit your code to make sure you’re not improperly using the add_query_arg() and remove_query_arg() functions. The Make WordPress Plugins site has a post that provides in-depth information on how to check and fix your plugins.
To date, this is the largest coordinated effort between an outside party, the WordPress core and security teams, and plugin developers. According to Sucuri, affected plugin developers banded together for the common good. Related auto updates only contain code needed to fix the security vulnerability. This should limit the possibility of auto updates breaking sites.
The plugins listed above have already been patched and updates should be available to all users. Browse to Dashboard – Updates to check for and install any available updates.