WordPress Plugin Vulnerability

22 April 2015
Published: By: Chloe Mayo

According to WordPress security guru’s Sucuri, multiple WordPress plugins have been found to be vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions.

The have released a list of the initial plugins that have been found to be affected, which can be viewed below.

  • Jetpack
  • WordPress SEO
  • Google Analytics by Yoast
  • All In one SEO
  • Gravity Forms
  • Multiple Plugins from Easy Digital Downloads
  • UpdraftPlus
  • WP-E-Commerce
  • WPTouch
  • Download Monitor
  • Related Posts for WordPress
  • My Calendar
  • P3 Profiler
  • Give
  • Multiple iThemes products including Builder and Exchange
  • Broken-Link-Checker
  • Ninja Forms

Yoast initially discovered the vulnerability which lead to an investigation of the top 300 plugins which found the vulnerability is wide-spread. The immediate remediation is to update all affected plugins and await an update from developers for the others.

Ready to start? Get in touch.