WordPress XSS Vulnerability

Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.

The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.

Who is affected?

So far, there is no evidence that suggests the vulnerability is being actively exploited. even with the vulnerabilities in place the risk of exploitation is small, due to the privileges required of users to attack. Though it is important to note that that is no guarantee, and it is important to update your plugins if you have updates available.

Some of the affected plugins are listed below:

  • Yoast post
  • Jetpack post
  • Easy Digital Downloads post
  • Gravity Forms post
  • Ninja Forms post
  • WP eCommerce post
  • UpdraftPlus post
  • iThemes Exchange post
  • Aesop Story Engine post
  • Download Monitor changelog
  • All In One SEO changelog
  • My Calendar post
  • Give changelog
  • Broken Link Checker changelog
  • WPTouch changelog
  • P3 Profiler changelog
  • Related Posts for WP changelog
  • Link Library changelog
  • Google Analytics Top Posts Widget changelog
  • Bilingual Linker changelog
  • Ultimate Member changelog
  • Piklist changelog
  • Seriously Simple Podcasting changelog
  • Cachify changelog
  • bbPress post
  • BuddyPress post
  • BuddyDrive changelog
  • Sprout Invoices changelog
  • WP Idea Stream changelog
  • Church Themes Content changelog
  • AppPresser changelog
  • WP to Twitter changelog
  • WP Print Friendly changelog
  • TGM plugin activation changelog
  • All In One WP Security changelog
  • EventOrganiser post
  • The Events Calendar post

 

Read more below

https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html

http://wptavern.com/xss-vulnerability-affects-more-than-a-dozen-popular-wordpress-plugins

https://poststatus.com/coordinated-plugin-updates-to-address-security-vulnerability-in-many-popular-wordpress-plugins/