Security Issues Plague WordPress Plugins
According to Sucri, a XSS issue has impacted numerous WordPress Plugins:
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Multiple iThemes products including Builder and Exchange
- Ninja Forms
with probably more to come.
Make sure you upgrade to apply patches as soon as possible.
For DIY, the solution for developers of how to fix this issue: if you’re using either
remove_query_arg without passing in the URL, it bases the URL it creates off of
$_SERVER['REQUEST_URI']. In that process, it URL decodes the parameter names in the request URI, allowing for XSS. The solution is to simply wrap the output in
esc_url and you’re done. Not a hard fix, but it has to be done.