Recently it has become apparent that there is an XSS (Cross-Site Scripting) vulnerability in a lot of high level plugins. This was caused by the misuse of the add_query_arg() and remove_query_arg() functions. These functions are very frequently used by developers.
It is known that the WordPress Codex wasn’t very clear on the use of these functions and misled developers to use them in an insecure way. The developers thought it would escape user input automatically but this is not the case.
To date, these plugins have been affected:
- WordPress SEO
- Google Analytics
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- WP e-Commerce
- Download Monitor
- P3 Profiler
- iThemes Exchange
- Ninja Forms
- Aesop Story Engine
- My Calendar
But this is just a short list of high level plugins, various other small plugins you use could also be affected by this.
The best way to make sure your site is secure is to keep all your plugins up to date and grab a couple of backups – just in case.
If you’re not sure whether this issue affects you or don’t know how best to fix the problem, speak to your IT support department, or drop us a line. We’d love to offer advice on keeping your networks and PC’s safe.