Due to the misuse of the add_query_arg() and remove_query_arg() functions, several WordPress plugins and themes are vulnerable to Cross-site Scripting (XSS). These functions are used by web developers to adjust and add query strings to URLs within WordPress. The vulnerability is caused by a common code pattern used in WordPress plugins and themes purchased through ThemeForest, CodeCanyon, WordPress.org and other sources.
What can I do?
Since there is no way of knowing the exact amount of plugins or themes affected, it is recommended to periodically check your plugins and apply any updates as soon as possible.
Here are some of the plugins that are affected:
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Multiple iThemes products including Builder and Exchange
- Ninja Forms
All developers using WordPress websites should log in to the WordPress admin dashboard and update any out of date plugins.
How to Avoid Risk and Improve Security on WordPress Plugins
In order to decrease your risk of threat and improve security, here are a few tips to consider:
- Patch. Keep your sites updated.
- Restrict. Restrictive access control. Restrict your wp-admin directory to only white listed IP addresses. Only give admin access to users that really need it. Do not log in as admin unless you are really doing admin work. These are some examples of restrictive access control policies that can minimize the impact of vulnerabilities in your site.
- Monitor. Monitor your logs. They may give you clues to what is happening on your site.
- Reduce your scope. Only use the plugins (or themes) that your site really needs to function.
- Detect. Prevention may fail, so we recommend to scan your site for indicators of compromise or outdated software. Sitecheck is a free tool that can help scan your website.
- Defense in Depth. If you have an Intrusion Prevention System (IPS) or Web Application Firewall (WAF), they can help block most common forms of XSS exploits. You can even try our own CloudProxy to help you with that. If you like the open source route, you can try OSSEC, Snort and ModSecurity to help you achieve that.
It is important to always keep your WordPress installation and associated plugins and themes up to date. If you still have concerns, we suggest engaging with an experienced WordPress developer to check whether your site is affected.
For more information regarding the XSS vulnerability security advisory, refer to this link: Security Advisory: XSS Vulnerability Affecting Multiple WordPress Plugins