Security researchers have identified a number of the world’s leading WordPress plugins to be plagued with a “common,” yet vital Cross-Site Scripting (XSS) vulnerability.
Security researchers at Sucuri are continuing on with their WordPress plugin code audit, this time identifying the world’s most popular WordPress plugins, even some built by the WordPress company (Automattic) themselves, to be plagued by a severe vulnerability due to the misuse of add_query_arg() and remove_query_arg().
“The official WordPress Official Documentation (Codex) for these functions was not very clear,” Daniel Cid, founder and CTO of Sucuri said in a blog post Monday, “and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.”
The list of WordPress plugins vulnerable to the Cross-Site Scripting flaw:
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Multiple iThemes products including Builder and Exchange
- Ninja Forms
Of the over thirteen listed plugins affected, Cid said that may not even be all of them. It is important to ensure if you are using any of the affected plugins that you update right away, by navigating to your WordPress Dashboard > Update.
The Cross-Site Scripting vulnerability in WordPress plugins was initially discovered by Joost de Valk from Yoast. A code audit firm had first notified Joost who identified the security flaw in one his plugins, spawning him to contact Sucuri who quickly identified this one vulnerability didn’t only affect Joost, it affected millions.
The XSS vulnerability was first uncovered last week, and due to the severity of the flaw alongside the amass of plugins, the two teams worked in a joint security release with all the developers from each team getting involved alongside contacting the WordPress core security team.
The joint security teams analyzed the top 300-400 WordPress plugins of all time, meaning not all widely used plugins can be checked. Cid noted that a number of plugins are presumably still vulnerable, urging developers to check how they use the two functions: add_query_arg and remove_query_arg.
The Sucuri security team says make sure you are escaping them before use. Sucuri recommends “using the esc_url() (or esc_url_raw())functions with them. You should not assume that add_query_arg and remove_query_arg will escape user input.”
The two functions mentioned are commonly used by WordPress developers for modifying or adding query strings in the URL.
If you own or help run a WordPress blog currently utilizing any of the affected plugins listed aboce, we highly recommend you update them as soon as possible. If you have auto-update on, you are likely already protected. But if not, go ahead and run through your WordPress blogs updating the plugins.
While over a dozen XSS vulnerabilities were identified in WordPress plugins, the system itself, the world’s largest blogging platform updated their core today, rolling out a WordPress 4.1.2 security patch. The severe vulnerability could allow an attacker to easily hijack you WordPress website. Though the two vulnerabilities are entirely unrelated, we urge you to update your WordPress core and plugins right away!
Listed below are a number of tips to reduce your websites overall threat risk, while improving your sites security as well:
- Patch: Keep all your WordPress and non-Wordpress sites up to date with the latest patches and security fixes.
- Review your WordPress Logs: WordPress activity logs are not only on your webserver to consume space, thedr logs can actually be used to see what is happening on the back-end of your blog.
- Restrict: Restrict access to who has admin control over the blog, meaning audit all users and only logging into the admin account when admin work is being done.
- Limit: Reduce the amount of plugins or themes your site actually needs to function.
- Monitor: Scan your site for indicators the site may be compromised, vulnerable or using outdated software.
- Defense System: Be sure you have a defense system in place, such as an Intrusion Detection System (IPS) or Web Application Firewall (WAF) which can help block the most common forms of XSS exploits. Companies such as CloudFlare and Sucuri both offer protection services, alongside a number of other trusted companies.
WordPress blog owners are being urged to carefully select which plugins they use on their blog and are also urging developers to audit their code to ensure the plugins remain safe and secure.