A “common” cross-site scripting (XSS) vulnerability has been discovered in a number of popular WordPress plugins and a coordinated plugin update occurred earlier on today to address the identified cross-site scripting vulnerabilities. If you use any of the plugins listed in the below list make sure you install the update.
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profile
- Multiple iThemes products including Builder and Exchange
- Ninja Forms
Note: There could be other plugins which are vulnerable to this cross-site scripting vulnerability hence make sure you are running the latest version of each plugin you have installed on your WordPress. If you are not sure about all your plugins contact the developer of the plugins to double check. Better safe than sorry.
What is the Vulnerability?
All the plugins had the same problem; there was lack of escaping when using the add_query_arg() and remove_query_arg() functions. These functions are quite popular with WordPress developers and are used to modify or add query strings in URLs. This problem happened because the Codex documentation of these two functions was not well written, or better the examples used in the Codex did not show proper escaping use cases.
Update Your Plugins – Keeping WordPress Secure
At this stage we recommend you to login to your WordPress dashboard using an administrator account and update all the plugins installed on your WordPress. Here are also some tips and tricks to help you keep your WordPress as secure as possible:
Keep Your WordPress Up to Date: always use the latest, most stable and secure software be it a plugin, theme or WordPress itself.
Monitor All WordPress Activity: logs are not just there to consume hard disk space, use them wisely. Install WP Security Audit Log plugin to keep track of everything that is happening on your WordPress and analyse the logs from time to time to ensure all activity is legit.
Restrict Access: using the principle of least privileges always restricts a user’s, plugin’s or theme’s access to what it needs to do. Never give a component more privileges than it needs.
Install Only What is Needed: this might sound like common sense though unfortunately it is not most of the time. Only install the plugins that you need and always remove (i.e. delete files from the website) any non-used plugins, themes or any other third party components.
Subscribe to WP Security Bloggers: Subscribe to WP Security Bloggers website so you always get the latest WordPress security news. WP Security Bloggers is a news feed featuring the most popular WordPress security sites and sources that publish WordPress security news.
The above are just a few recommendations and there is much more you can do to harden the security of your WordPress. For more recommendations browse through our WordPress security blog or get in touch with us.