• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
WPArena

WPArena

WPArena is a premium online resource site of WordPress and is focused on providing excellent WordPress Tutorials, Guides, Tips, and Collections.

  • News
    • Opinion
  • Tutorials
  • Reviews
    • Themes
    • Plugins
  • Comparisons
  • Collections
    • Education Themes
    • Genesis Child Themes
    • Best Responsive Themes
    • Medical WordPress Themes
    • Finance & Business Themes
    • Crowdfunding Themes
  • Resources
    • Inspiration
  • Services
WPArena » Tutorials » WordPress Security
WordPress Security

WordPress Plugins Affected by XSS Vulnerability

Avatar of Arslan Rashid Arslan Rashid Updated: June 20, 2022

FacebookTweetPinLinkedInEmailPrint

The two functions add_query_arg() and remove_query_arg() are used extensively in WordPress development in modifying and adding query strings to URLs. These functions make a plugin vulnerable to hacking particularly by cross-site scripting which is also known as XSS. The documentation on WordPress codex was vague which led the developers to use these functions and became vulnerable to XSS.

Must Read: Ultimate WordPress Security Guide

WordPress Plugins Affected By XSS Vulnerability

  • Jetpack
  • WordPress SEO
  • Google Analytics by Yoast
  • All In One SEO
  • Gravity Forms
  • Multiple Plugins from Easy Digital Downloads
  • UpdraftPlus
  • WP-E-Commerce
  • WPTouch
  • Download Monitor
  • Related Posts for WordPress
  • My Calendar
  • P3 Profiler
  • Give
  • Multiple iThemes products including Builder and Exchange
  • Broken-Link-Checker
  • Ninja Forms

What should I do?

This loophole was first detected by Joost the leading developer of WordPress SEO by Yoast (Read it’s Review). This is a recent discovery and was resolved within a couple of hours after it was initially identified. The solution to this problem is that if you have not updated the plugins as well as WordPress as a whole then do it right away since the update of plugins contains a patch to avoid any security risk.

If you are a WordPress developer, make to use esc_url() or esc_url_raw()) functions with the add and remove query functions described above because only using these functions would not escape the user input.

There may be more plugins with such security vulnerabilities, to be safe as said before always keep your WordPress plugins up to date. Here are some other ways you can keep your site safer:

  • Stay updated, always.
  • Monitor your log in logs to make sure who logs in to your site and what access he has.
  • Remove unnecessary plugins which are not required.
  • Give your admin access to only those who really require.

It is highly recommended that you must read the WordPress Security Release and apply the necessary changes to your WordPress powered website. Making your WordPress site More Secure by Adding HTTPS and SSL

Related Service

Professional WordPress Security Service

This post was orginally published on: May 8, 2015 and was updated on: June 20, 2022.
FacebookTweetPinLinkedInEmailPrint

Related Stories

  • How to Protect Your WordPress Website from a Pharma Hack

    How to Protect Your WordPress Website from a Pharma Hack

  • Incapsula Analysis: Beyond content delivery, this platform also optimizes your website for trust

    Incapsula Analysis: Beyond content delivery, this platform also optimizes your website for trust

  • How to Hide the Fact That Your Site is Running on WordPress

    How to Hide the Fact That Your Site is Running on WordPress

Avatar of Arslan Rashid

Arslan Rashid

Arslan is an Electrical Engineering student who has a keen interest in the WordPress developments and upcoming technologies. He likes to share interesting knowledge with the readers.

Reader Interactions

Join the Discussion
  1. Avatar of AlexAlex says

    July 16, 2018

    Thanks for the heads up. It would have been even more helpful if your post includes the date at which you are reporting this issue. That would help your reader determines whether that vulnerability is currently present in their websites or patched by recent updates.

    Reply

Share Your Thoughts Cancel reply

Before submitting your comment, we kindly ask that you read our comment policy. Your email address will remain confidential and will not be published or shared anywhere. If you subscribe, you will receive notifications regarding new comments.

Primary Sidebar

A person typing on a laptop

Your Guide to Blogger Outreach: How-To and What You Should Know

Bootstrapwp-review

BootstrapWP: Learn How To Develop A WordPress Theme

Recent Topics

  • 27 Top SEO Companies in the World
  • 12 Ways To Monetize Your WordPress Blog
  • Comparing the Best Employee Engagement Software in the Market
  • Stellar Converter for OST Review: Best Tool for OST to PST Conversion
  • How To Use WordPress as an eCommerce Store

Footer

Top

  • Services
  • Our Themes
  • Facebook
  • Twitter
  • Linkedin

Reviews

  • Beaver Builder Review
  • Beaver Themer Review
  • WP User Frontend Pro
  • Ninja Forms Review
  • MemberPress Review

More Reviews »

Resources

  • Best WordPress Plugins
  • WordPress Permalinks Structure
  • Email Management System
  • Envato Free Files
  • Advertise
  • Write for us
  • Disclosure
  • Terms
  • Privacy
  • Contact

Copyright © 2023 · All Rights Reserved · WPArena is a Project of TechAbout LLC.
We are not affiliated with Automattic or WordPress.

  • Advertise
  • Write for us
  • Disclosure
  • Terms
  • Privacy
  • Contact
Share this ArticleLike this article? Email it to a friend!

Email sent!