At least 17 of WordPress’s most popular plugins – and likely even more of them – are vulnerable to cross-site scripting (XSS) flaws that could allow attackers to inject malicious code in the browsers of the sites’ visitors.
The latest security hole and vulnerability has arrived only days after WordPress was updated to fix a similar flaw…
WordPress researchers have warned that the WordPress online publishing platform has an unpatched vulnerability that could allow malicious code to be injected into website comments.
The bug, which affects WordPress versions 4.2 and earlier, allows malicious JavaScript to be injected into a comment field, with the code being activated when the comment is viewed in a user’s browser, according to security firm Klikki Oy. The malicious code triggers a cross-site scripting (XSS) attack, that can steal user data, the company said in an advisory.
List of affected plugins
As of today, this is the list of affected plugins (we regularlyuse the bolded ones ourselves…):
- Jetpack
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- UpdraftPlus
- WP-E-Commerce
- WPTouch
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Give
- Multiple iThemes products including Builder and Exchange
- Broken-Link-Checker
- Ninja Forms
What to Do Now?
Regardless if you use any of these plugins listed below, make sure to do a complete backup and full WordPress/plugin/theme:
Update right now!
Tips to always stay secure (as possible!)
Here are some tips and tricks to remember to help reduce your overall threat risk, helping to improve your individual security posture:
- Patch/update frequesntly. Keep all your site’s WPand theese and plugins updated.
- Restrict access. Use restrictive access control. Restrict your wp-admin directory to only white listed IP Addresses. Only give admin access to users that really need it. Do not log in as admin unless you are really doing admin work. These are some examples of restrictive access control policies that can minimize the impact of vulnerabilities in your site. If you don;t know how to do this, drop us a line and we can talk you through it, or assist…
- Monitor activity on your WP sites. Monitor your security logs. They can give you hints to what is happening on your site.
- Reduce your risk. Only use the plugins (or themes) that your site really needs to function. Uninstall ALL others. Some web developers leave old ones in there deactivaterd and out dated. Get rid of ’em.
- Detect. Prevention may fail, so we recommend scan your site for indicators of compromise or outdated software. Sucuri’s plugin & Sitecheck can do that for free for you, so do it when ever you do an update session.
- Hard core Defense. If you have an Intrusion Prevention System (IPS) or Web Application Firewall (WAF), they can help block most common forms of XSS exploits.The CloudFlare WAF protects against XSS and SQL injection attacks, as well as comment spam. CloudFlare includes the ModSecurity and the OWASP Top 10 vulnerabilities by default.
The Techie Stuff
So, in techie speak the announcement is :
Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of theadd_query_arg() and remove_query_arg() functions.
These are popular functions used by developers to modify and add query strings to URLs within WordPress.
The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.
