Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.
The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.
To date, this is the list of affected plugins:
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Multiple iThemes products including Builder and Exchange
- Ninja Forms
There are probably a few more that we have not listed. If you use WordPress, we highly recommend that you go to your wp-admin dashboard and update any out of date plugins now. This issue was first identified by Joost from Yoast in one of his plugins (he did a great write up about it as well).
If you use WordPress, now it is your turn to update your plugins!
If you have automatic updates enabled, your site should already be patched, especially in the most severe cases.
Sucuri only analyzed the top 300-400 plugins, far from all of them as you might imagine. So there are likely a number of plugins still vulnerable. If you’re a developer, check your code to see how you are use these two functions:
Make sure you are escaping them before use. We recommend using the esc_url() (or esc_url_raw())functions with them. You should not assume that add_query_arg and remove_query_arg will escape user input. The WordPress team is providing more guidelines on how to use them here.
If you use any of these plugins, make sure to update them now! This is also a good time to remind you that all software will have bugs and some of those bugs will inevitably lead to security vulnerabilities, such is the life we live in. Here are some tips and tricks to remember to help reduce your overall threat risk, helping to improve your individual security posture:
- Patch. Keep your sites updated.
- Restrict. Restrictive access control. Restrict your wp-admin directory to only white listed IP Addresses. Only give admin access to users that really need it. Do not log in as admin unless you are really doing admin work. These are some examples of restrictive access control policies that can minimize the impact of vulnerabilities in your site.
- Monitor. Monitor your logs. They may give you clues to what is happening on your site.
- Reduce your scope. Only use the plugins (or themes) that your site really needs to function.
- Detect. Prevention may fail, so we recommend scan your site for indicators of compromise or outdated software. Sucuri Site Scanner and Sitecheck can do that for free for you.
For assistance contact us at 888-852-6587 today.
These principles are commonly applied to most secure networks (or on any business that needs to be PCI compliant), but not many website owners think of them for their own site / environment. These are but a few high level recommendations; we recommend going through Sucuri’s blog for more ideas on how to keep your sites safe and ahead of the threats. For more information contact us today.