WordPress Security Advisory – XSS Vulnerability and 4.1.2 Security Update

The common vulnerability that triggered a coordinated plugin update of many popular plugins on 22nd April is caused by a lack of escaping of two WordPress functions, add_query_arg() and remove_query_arg().

For the past week, security firm Sucuri has worked with the WordPress core security team to address a cross site scripting vulnerability discovered in more than a dozen popular WordPress plugins.These are popular functions used by developers to modify and add query strings to URLs within WordPress.

The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.

Few Popular updated Plugins are >

WordPress SEO
Google Analytics by Yoast
All In one SEO
Gravity Forms
Multiple Plugins from Easy Digital Downloads
Download Monitor
Related Posts for WordPress
My Calendar
P3 Profiler
Multiple iThemes products including Builder and Exchange
Ninja Forms

There are many more plugins / themes which may not be listed here released their updates.

Login into your WordPress Admin Dashboard and go to Dashboard >> Updates and update all Plugins / Themes available for update there.

With this WordPress also released their critical security update 4.1.2. It is recommended for all WordPress users to update their WordPress Installs to 4.1.2

Source ::
1. Sucuri
2. WordPress

Leave a Reply

© Vinay Murarka. All rights reserved.
Powered by V2Technosys