According to WordPress security guru’s Sucuri, multiple WordPress plugins have been found to be vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions.
The have released a list of the initial plugins that have been found to be affected, which can be viewed below.
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Multiple iThemes products including Builder and Exchange
- Ninja Forms
Yoast initially discovered the vulnerability which lead to an investigation of the top 300 plugins which found the vulnerability is wide-spread. The immediate remediation is to update all affected plugins and await an update from developers for the others.