A recently discovered XSS (Cross Site Scripting) vulnerability in two functions that are frequently used in the development of WordPress: add_query_arg () and remove_query_arg () has caught much attention. The functions are used for adding and modifying of requests in URLs.
This particular flaw was pinpointed by Joost from Yoast in their WordPress SEO Plugin; the flaw was then fixed and everyone promptly informed about the details of the failure.
The reason for the failure was WordPress documentation which had previously incorrectly explained ways of using tools/functions which then resulted in plugin authors using the tool in an insecure manner.
Who happens to be targeted?
Anyone and everyone who is using any of the listed WordPress plugins:
- WordPress SEO
- Google Analytics by Yoast
- All in One SEO
- Gravity Forms
- Extras of Easy Digital Downloads
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Broken Link Checker
- Ninja Forms
It is almost certain that there are plenty more of targeted add-ons; for this particular reason it’s important you login to your WP admin panel and update all the plugins that have available updates. As we’d always advise, don’t fail to first backup your WordPress and then update. If you are using automatic updates of WordPress alone, you should already be protected by now, at least as far as WordPress goes. If, however, you are not using automatic updating you should start as soon as possible – at least because of situations like this one. WordPress is a popular program and everyone is looking for its “vulnerabilities” and flaws, just as they used to for Joomla CMS. So, be aware and do all that’s in your power to protect yourself.
Not sure if your widgets use these functions?
If you are unsure whether a particular plugin uses this tool, what you could do is:
- Archive your /wp-content/ plugins folder into a .zip archive
- Download it to your computer and unzip it
- Through Total Commander (or anything with a more advanced search) search for all the files within that folder: add_query_arg or remove_query_arg
- The shortcut you need for this action while using Total Commander is ALT + F7.
- The result will display all the plug-ins that use these functions. If you have updated them, everything is going to work fine. In case you haven’t and there are no updates for them, remove them for now.
Advice on protection:
- Patches. Make sure you are always updated to the latest version.
- Limit. Restrict access of your WP admin panel to your IP address users only. Also, only use the necessary plugins – nothing more, nothing less.
- Stay on top of your game. Follow logs and get familiar with the requirements that come to your site.
- Search. If the flaw is taken advantage of, create a system that will notify you of such occurrence as soon as possible in order to find the problem qucikly.
- Clean up. When a problem occurs, make sure you thoroughly clean your WordPress so that the situation doesn’t re-occur.
- Make it complicated. Complex passwords, two-factor authentication, hiding of WP logins.
Please contact us if you need help.