Security Issues Plague WordPress Plugins

According to Sucri, a XSS issue has impacted numerous WordPress Plugins:

Jetpack
WordPress SEO
Google Analytics by Yoast
All In one SEO
Gravity Forms
Multiple Plugins from Easy Digital Downloads
UpdraftPlus
WP-E-Commerce
WPTouch
Download Monitor
Related Posts for WordPress
My Calendar
P3 Profiler
Give
Multiple iThemes products including Builder and Exchange
Broken-Link-Checker
Ninja Forms

with probably more to come.
Make sure you upgrade to apply patches as soon as possible.
For DIY, the solution for developers of how to fix this issue: if you’re using either add_query_arg or remove_query_arg without passing in the URL, it bases the URL it creates off of $_SERVER['REQUEST_URI']. In that process, it URL decodes the parameter names in the request URI, allowing for XSS. The solution is to simply wrap the output in esc_url and you’re done. Not a hard fix, but it has to be done.

Security Issues Plague WordPress Plugins

Categories

Recent Posts

Archives

Quick Links

Security Issues Plague WordPress Plugins

Categories

Recent Posts

Archives

Quick Links

Tags

You may also like

Triple Play: How LN Distribution, Northern Hot Tubs and Len Carter Partnered with ozEworks to Package a Trio of Successful e-commerce Sites for Sporting Goods, Hot Tubs and Leisure Time Fun

We support Ukraine

PayPal and the American Rescue Plan Act of 2021