Security Audits

Wordpress and The XSS Security Vulnerability

Recently, there was a widespread security vulnerability that seemed to be affecting most Wordpress plugins and themes out there. The vulnerability had the top Wordpress Security services worried, as well as the coders.

A misuse of the add_query_arg() and remove_query_arg() functions in most Wordpress Themes and Plugins had caused a persistent vulnerability in Wordpress’ Cross Site Scripting (XSS). The Wordpress Codex can be partially blamed for not being exceptionally clear about this subject in their documentations, misleading programmers in a way that has now compromised the security of thousands of websites. The people at Sucuri did an elaborate job highlighting some of the popular plugins that had been affected by this vulnerability:

Jetpack

WordPress SEO

Google Analytics by Yoast

All In one SEO

Gravity Forms

Multiple Plugins from Easy Digital Downloads

UpdraftPlus

WP-E-Commerce

WPTouch

And more…

This vulnerability affected myriad plugins and themes on Envato, as well as the Wordpress Plugin and Theme Repository. It is bizarre that this vulnerability was not noticed by any of the top Wordpress plugin and theme coders, until Joost from Yoast found it in one of his plugins, after which he collaborated with Wordpress and Sucuri to get it sorted out.

For a while, the only possible course left for Wordpress users was to wait for an update from all of their theme and plugin providers, individually fixing the vulnerability in each of the codes. Thankfully, all Wordpress coders coordinated miraculously and released a joint update within just two hours of being notified about this issue. However, every Wordpress user still had to undertake the immense task of updating every single plugin and theme they had been using in order to escape this horrendous vulnerability.

Advanced Wordpress users also had the option of solving this exploit by themselves, by ensuring that the add_query_arg() and remove_query_arg() functions throughout their site were followed by the esc_url() (or esc_url_raw()) functions, instead of assuming that the vulnerable functions would escape user input.

Fortunately, Wordpress released an update in August 2015, the Wordpress 4.2.4, which patched six separate security vulnerabilities associated with the CMS, including, among others, the XSS Security Vulnerability.

But how to escape security vulnerabilities like this even before they have been patched? How to ensure that your Wordpress is safe and secure from unknown vulnerabilities that have yet not been out? We recommend you to invest in a premium Wordpress security plugin, such as Sucuri or Wordfence, which auto-update their databases with new security vulnerabilities, keeping your site safe even when others are not.