Security Vulnerability :: Widespread XSS Vulnerability in WordPress Plugins and Themes

  • author-img Nidhi Arora
  • 9 years

There has been a massive security flaw detection by the team of Yoast and Sucuri who detected that most popular plugins used in WordPress are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are the amongst the most used functions of WordPress and over the time has been used by most of the plugin developers and theme creators. The functions helps to modify and add query strings to URLS within WordPress.

The reason that was identified that the official WordPress documentation available at Codex for these functions are not very clear and has thus led the WordPress developers to use them in a very insecure way. This has caused most popular plugins to be vulnerable to XSS. The concerning part is that this vulnerability is not just limited to themes and plugins purchased from marketplace like themeforest or codecanyon but in general may easily apply to any WordPress developement and website.

What should i do to secure my WordPress website?

It is still not identified and sure that which all plugins and themes are impacted. So the best solution is to regularly check your WordPress for any upgrade and keep on updating the plugins and themes for the same.

ThemeForest and CodeCanyon which is the biggest market place for WordPress based resources is actively working with the authors of WordPress products and asking them to update their products. There will be updates available for download for almost all the products within few days over the market place.

Apart from that, make sure to check your website for any other plugin, remove those which are not used. Update WordPress ASAP and also look for regular updates.

Which plugins are effected?

As per now, we are able to find over internet that these plugins are impacted. Most of them have already rolled an upgrade which you should get your store updated with. There are many more and they will soon put an update.

  • Jetpack
  • WordPress SEO
  • Google Analytics by Yoast
  • All In one SEO
  • Gravity Forms
  • Multiple Plugins from Easy Digital Downloads
  • UpdraftPlus
  • WP-E-Commerce
  • WPTouch
  • Download Monitor
  • Related s for WordPress
  • My Calendar
  • P3 Profiler
  • Give
  • Multiple iThemes products including Builder and Exchange
  • Broken-Link-Checker
  • Ninja Forms
  • Yoast
  • Jetpack
  • Easy Digital Downloads
  • Gravity Forms
  • Ninja Forms
  • WP eCommerce
  • UpdraftPlus
  • iThemes Exchange
  • Aesop Story Engine
  • Download Monitor
  • All In One SEO
  • My Calendar
  • Broken Link Checker
  • WPTouch
  • P3 Profiler
  • Related s for WP
  • Link Library
  • Google Analytics Top’s Widget
  • Bilingual Linker
  • Ultimate Member
  • Piklist
  • Seriously Simple Podcasting
  • Cachify
  • bbPress
  • BuddyPress
  • BuddyDrive
  • Sprout Invoices
  • WP Idea Stream
  • Church Themes Content
  • AppPresser
  • WP to Twitter
  • WP Print Friendly
  • TGM plugin activation
  • All In One WP Security
  • EventOrganiser
  • The Events Calendar

Reach us to help you update your WordPress setup and help you secure your website from this security threat.

Download Blog


Ready to Get Started

Communication is the key for us to understand each other. Allow us to understand
your requirements or queries. Present us with an opportunity to serve you.

Fill out the form and out team will get back to you
within 24 hours

    Head Office

    815 Brazos St STE 500, Austin,
    TX 78701, USA