WordPress Plugins Affected by XSS Vulnerability

The two functions add_query_arg() and remove_query_arg() are used extensively in WordPress development in modifying and adding query strings to URLs. These functions make a plugin vulnerable to hacking particularly by cross-site scripting which is also known as XSS. The documentation on WordPress codex was vague which led the developers to use these functions and became vulnerable to XSS.

Must Read: Ultimate WordPress Security Guide

WordPress Plugins Affected By XSS Vulnerability

What should I do?

This loophole was first detected by Joost the leading developer of WordPress SEO by Yoast (Read it’s Review). This is a recent discovery and was resolved within a couple of hours after it was initially identified. The solution to this problem is that if you have not updated the plugins as well as WordPress as a whole then do it right away since the update of plugins contains a patch to avoid any security risk.

If you are a WordPress developer, make to use esc_url() or esc_url_raw()) functions with the add and remove query functions described above because only using these functions would not escape the user input.

There may be more plugins with such security vulnerabilities, to be safe as said before always keep your WordPress plugins up to date. Here are some other ways you can keep your site safer:

  • Stay updated, always.
  • Monitor your log in logs to make sure who logs in to your site and what access he has.
  • Remove unnecessary plugins which are not required.
  • Give your admin access to only those who really require.

It is highly recommended that you must read the WordPress Security Release and apply the necessary changes to your WordPress powered website. Making your WordPress site More Secure by Adding HTTPS and SSL

Professional WordPress Security Service

Disclosure: Some of the links in this article are affiliate links and we may earn a small commission if you make a purchase, which helps us to keep delivering quality content to you. Here is our disclosure policy.

Arslan Rashid
Arslan Rashid
Arslan is an Electrical Engineering student who has a keen interest in the WordPress developments and upcoming technologies. He likes to share interesting knowledge with the readers.

1 COMMENT

  1. Thanks for the heads up. It would have been even more helpful if your post includes the date at which you are reporting this issue. That would help your reader determines whether that vulnerability is currently present in their websites or patched by recent updates.

LEAVE A REPLY

Please enter your comment!
Please enter your name here
Captcha verification failed!
CAPTCHA user score failed. Please contact us!

spot_img

Related Articles

The Complete WordPress Security Guide 2025 – Step by Step

Note: You don't need any other WordPress Security guide if you follow all the steps mentioned in this guide. Originally created...
Read More
In the dynamic realm of web development, establishing a secure and user-centric environment stands as a fundamental imperative. The amalgamation...
Knowing which version of WordPress your site is running can be important for a number of reasons. Whether you’re troubleshooting...