Security Issues Plague WordPress Plugins
According to Sucri, a XSS issue has impacted numerous WordPress Plugins:
- Jetpack
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- UpdraftPlus
- WP-E-Commerce
- WPTouch
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Give
- Multiple iThemes products including Builder and Exchange
- Broken-Link-Checker
- Ninja Forms
with probably more to come.
Make sure you upgrade to apply patches as soon as possible.
For DIY, the solution for developers of how to fix this issue: if you’re using either add_query_arg
or remove_query_arg
without passing in the URL, it bases the URL it creates off of $_SERVER['REQUEST_URI']
. In that process, it URL decodes the parameter names in the request URI, allowing for XSS. The solution is to simply wrap the output in esc_url
and you’re done. Not a hard fix, but it has to be done.