Admins should update all WordPress components

Apr 21, 2015 12:20 GMT  ·  By

Two functions widely used by WordPress developers to create plugins for the content management system (CMS) have been employed in a secure manner that allows ill-intentioned actors to run cross-site scripting attacks and reach sensitive areas of the website.

The list of vulnerable plugins contains at least 17 entries, some of them with over one million active installs, including Jetpack, WordPress SEO by Yoast, Google Analytics by Yoast, and All in One SEO Pack.

User input is not automatically escaped

The issue resides in the fact that the documentation for “add_query_arg()” and “remove_query_arg(),” functions used to modify and add query strings to URLs in WordPress, were not clearly documented in Codex (WordPress online manual) and developers could interpret that user input for them was escaped.

In fact, the opposite was valid, and developers should add parameters that would restrict external input from enabling them to run commands other than the intended ones.

The developers at Yoast were alerted of the security risk by Johannes Schmitt of code inspection company Scrutinizer, and as soon as the cause of the problem was tracked down, it became clear that other WordPress plugins may be affected.

Joost de Valk, developer at Yoast, said in a blog post on Monday that “both the Codex and the developer documentation on WordPress.org for these functions were missing the fact that you had to escape their output. In fact, the examples in them when copied would create exploitable code straight away.”

Following this discovery, the documentation for WordPress was corrected. With help from website security company Sucuri, other plugins were found to be vulnerable, and their developers were informed of the issue in order to prepare updates for their products.

Dozens of WordPress components are affected

Sucuri checked only the top 300-400 plugins for traces of the vulnerability, but there are products outside this list that use the two functions insecurely and are exposed.

A joint security release coordinated by Sucuri and Yoast has rolled out from all involved developers, pushing updates for their plugins. Users are highly recommended to update all their WordPress components to the latest version to keep their websites safe from potential XSS attacks.

Apart from the aforementioned WordPress components, the list of affected plugins includes Gravity Forms, multiple plugins from Easy Digital Downloads, UpdraftPlus, WP-E-Commerce, WPTouch, Download Monitor, Related Posts for WordPress, My Calendar, P3 Profiler, Give, multiple iThemes products including Builder and Exchange, Broken-Link-Checker and Ninja Forms.

Getting the latest revision can be done via the automatic update mechanism or by manual installation.