On April 21st 2015, WordPress 4.1.2 was released to address several critical security vulnerabilities. Most notably of these security vulnerabilities is that of the XSS vulnerability which affects many WordPress plugins.
XSS Vulnerability
Who does it impact?
Quite a lot of people running popular and widely used plugins that don’t escape the user input for add_query_arg()
and remove_query_arg()
. Below is a non-exhaustive list of plugins that are susceptible to this vulnerability:
- Jetpack
- All In one SEO
- Gravity Forms
- WP-E-Commerce
- WordPress SEO
- Google Analytics by Yoast
- WPTouch
- Related Posts for WordPress
How did it happen?
There are those who will sensationalize the story to be about “developers struggling” with “ambiguous documentation“. While a lack of specificity in the documentation did lead some developers to assume those functions would escape the user input – their assumption was in error. When in doubt, always escape and sanitize user input – or, even better – view the source of the function to see for yourself.
What’s the solution?
Many of the plugins with these vulnerabilities have been patched, and WordPress has released version 4.1.2 as a patch to the core. However, that’s not the end of the story. It is not enough to simply update the core and first wave of plugin updates. The trend often is that there are a myriad of subsequent waves of plugin updates that are released days, weeks, or even much longer afterwards. Typically this is due to a lack of awareness of the issue by plugin developers, and/or that they have been delayed in releasing patches and updates. No matter the reason, it is absolutely critical that you stay on top of these updates. Plenty of unscrupulous people and organizations await any and every opportunity to exploit every vulnerability. You may think that your WordPress website isn’t popular or important enough to be a valued target, but to the unscrupulous – it is.
Don’t lose your head!
Don’t lose your head over the litany of WordPress updates, plugin updates, and theme updates. We offer an affordable WordPress Maintenance Plan where we update your entire WordPress site, plugins, and themes on a daily basis. Let our dedicated WordPress professionals handle the WordPress tech, and you handle your business – as it should be. Of course – all of our Managed WordPress Hosting plans include our WordPress Maintenance service.