If your website is built on WordPress, it is important to note that there have been some issues regarding XSS (Cross-site Scripting) recently with WordPress versions 4.1.1 and earlier. This vulnerability can enable anonymous users to compromise a website if you do not Update your website to the newest WordPress versions and all theme and plugins. The issue was caused by documentation in the official WordPress Codex for the popular functionsadd_query_arg() and remove_query_arg() not being very clear which has led to their unsecured use by developers.
This has affected many of the most popular WordPress themes and plugins. At this time there is a comprehensive review taking place to ensure that issues with the affected ones are being resolved.
According to Gary Pendergast, who is assisting in the effort to resolve this, “There is no official headcount on how many plugin’s are affected, as it’s a case-by-case things to check.” He has also indicated that some of the affected plugins are no longer having automated updates, stating “Jetpack, EDD, P3, Download Monitor and Related Posts for WP opted-in for auto updates, I didn’t keep track of who opted out.”
When was this issue discovered and who was affected?
The vulnerabilities in the themes and plugins were first discovered by Joost De Valk and shared on his Yoast site. Joost identified the issues with the themes and plugins approximately two weeks ago, a joint release from a group of developers was created with the WordPress security team. This joint release represented a shared mission to resolve these issues and share needed information with current users. All patches and updates were pushed to users within the last week.
As previously stated not all of the affected themes and plugins have been determined, we have listed several that have been identified below, however this is not a complete list.
- Gravity Forms
- WP E-Commerce
- WP Touch
- WordPress SEO
- Updraft Plus
- Google Analytics by Yoast
- All in One SEO
- Easy Digital Downloads
- My Calendar
- Ninja Forms
These just represent a few of the affected themes and plugins, so if you do not see one you have used on the list that does not mean it wasn’t affected. As more research is completed additional plugins will be identified.
It is not uncommon for issues that cause vulnerability to arise, it is more common than most people realize. What is important is that information is shared with the user, and that the information needed to protect the user from vulnerabilities is shared.