The two functions add_query_arg() and remove_query_arg() are used extensively in WordPress development in modifying and adding query strings to URLS. These functions makes a plugin vulnerable to hacking particularly by cross-site scripting which is also known as XSS. The documentation on WordPress codex was vague which led the developers to use these functions and became vulnerable to XSS.
WordPress Plugins Affected By XSS Vulnerability
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Multiple iThemes products including Builder and Exchange
- Ninja Forms
What should I do?
This loophole was first detected by Joost the leading developer of WordPress SEO by Yoast. This is a recent discovery and was resolved within a couple of hours after it was initially identified. The solution to this problem is that if you have not updated the plugins as well as WordPress as a whole then do it right away since the update of plugins contains a patch to avoid any security risk.
If you are a WordPress developer, make to use use esc_url() or esc_url_raw()) functions with the add and remove query functions described above because only using these functions would not escape the user input.
There may be more plugins with such security vulnerabilities, to be safe as said before always keep your WordPress plugins up to date. Here are some other ways you can keep your site safer:
- Stay updated, always.
- Monitor your log in logs to make sure who logs in to your site and what access he has.
- Remove unnecessary plugins which are not required.
- Give your admin access to only those who really require.
It is highly recommended that you must read the WordPress Security Release and apply the necessary changes to your WordPress powered website. Making your WordPress site More Secure by Adding HTTPS and SSL