WordPress Plugins Affected by XSS Vulnerability

Total
0
Shares
WordPress Plugin Affected by XSS Vulnerability

The two functions add_query_arg() and remove_query_arg() are used extensively in WordPress development in modifying and adding query strings to URLs. These functions make a plugin vulnerable to hacking particularly by cross-site scripting which is also known as XSS. The documentation on WordPress codex was vague which led the developers to use these functions and became vulnerable to XSS.

Must Read: Ultimate WordPress Security Guide

WordPress Plugins Affected By XSS Vulnerability

What should I do?

This loophole was first detected by Joost the leading developer of WordPress SEO by Yoast (Read it’s Review). This is a recent discovery and was resolved within a couple of hours after it was initially identified. The solution to this problem is that if you have not updated the plugins as well as WordPress as a whole then do it right away since the update of plugins contains a patch to avoid any security risk.

If you are a WordPress developer, make to use esc_url() or esc_url_raw()) functions with the add and remove query functions described above because only using these functions would not escape the user input.

There may be more plugins with such security vulnerabilities, to be safe as said before always keep your WordPress plugins up to date. Here are some other ways you can keep your site safer:

  • Stay updated, always.
  • Monitor your log in logs to make sure who logs in to your site and what access he has.
  • Remove unnecessary plugins which are not required.
  • Give your admin access to only those who really require.

It is highly recommended that you must read the WordPress Security Release and apply the necessary changes to your WordPress powered website. Making your WordPress site More Secure by Adding HTTPS and SSL

Professional WordPress Security Service

1 comment
  1. Thanks for the heads up. It would have been even more helpful if your post includes the date at which you are reporting this issue. That would help your reader determines whether that vulnerability is currently present in their websites or patched by recent updates.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign Up for Our Newsletters

Get notified of the best deals on our WordPress themes.

You May Also Like
How to hide WordPress Powered WebSite

How to Hide the Fact That Your Site is Running on WordPress

It has been observed that many versions of WordPress websites are not only outdated but also plugins are not as secured as in the latest versions and these websites can be hacked easily with simple automated tools. The best way is to resolve this problem is updating and maintaining the security of your WordPress based websites on continuous basis.