WordPress Security: Plugins being Affected by XSS Vulnerability

One of the major advantages of using WordPress for your company website is it’s vast developer community. Many of the custom functionalities that sites often need are already developed as plugins, which your developer can utilize to reduce the billable hours spent developing your site.

Just like any custom code, Plugins are vulnerable to changes and updates made to the WordPress platform. Currently, because of the misuse of functions commonly used to add strings to Word Press URL’s, many of the most WordPress’ most popular plugins are now susceptible to cross-site scripting (XSS). As a result, if your website is using the following plugins, which it likely is, you will need to update them in order to avoid any issues.

This WordPress Security update is not intended to scare you. Just like we all try to keep real bugs out of our homes (particularly spiders) sometimes they get in anyways, similarly bugs in coding occasionally get past developers. It is a part of the game, but luckily your site is not in any serious danger and the fixes are not difficult.

If you are a Word Press User

There should be updates available to your plugins, located in the Plugins tab. If not:

  • In your WordPress Dashboard, select Updates.
  • Go to your wp-admin/update-core.php page to clear the cache for all updates.

This should then show you the updates for your plugins, but be sure to check back to ensure your plugins remain active.

 If you’re a Word Press Developer

According to Yoast.com, if you’re using eitheradd_query_arg or remove_query_arg without passing in the URL, it bases the URL it creates off of $_SERVER[‘REQUEST_URI’]. In that process, it URL decodes the parameter names in the request URI, allowing for XSS. The solution is to simply wrap the output in esc_url.