Latest WordPress Plugin Vulnerabilities

by ThemeAlert
07 May 2015

There have been a few new stories in the last couple of weeks highlighting a fresh wave of WordPress vulnerabilities that affect a number of popular plugins, so keep reading to check if any of your installed plugins are on the list and need to be updated.

Sucuri released the following warning to let users know about the security flaw that's causing the issues:

“Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.”

A miscommunication in the WordPress Official Documentation is thought to be the cause, with developers using certain functions in a way that isn't wholly secure. Research is currently being undertaken to find out exactly how many plugins are affected, but this is the current list:

  • Jetpack
  • WordPress SEO
  • Google Analytics by Yoast
  • All In one SEO
  • Gravity Forms
  • Multiple Plugins from Easy Digital Downloads
  • UpdraftPlus
  • WP-E-Commerce
  • WPTouch
  • Download Monitor
  • Related Posts for WordPress
  • My Calendar
  • P3 Profiler
  • Give
  • Multiple iThemes products including Builder and Exchange
  • Broken-Link-Checker
  • Ninja Forms

If you use any of the above plugins please ensure you update them as soon as possible, as the issues have been patched in the latest version of every affected plugin.