According to an article on the Sucuri blog today, there is an extremely widespread security vulnerability in many WordPress plugins. The vulnerability seems to be the result of a breakdown in communication, where developers expected a set of core WordPress functions to do one thing, when it actually does another.
Essentially, most plugin developers (including those working on Automattic’s very own JetPack plugin, apparently) thought that the `add_query_arg()` and `remove_query_arg()` functions escaped any user input when they were executed. They don’t.
As a result, a large number of plugin authors had to release updates, even though many of them had just released security patches for other reasons in the past few weeks.
Basically, if you have any plugins on your site, even home-grown ones, you need to check them out to see if this hole needs to be patched.
Among the top 300-400 WordPress plugins, which were reviewed by the Sucuri team in conjunction with Yoast and a few others, a number of plugins were found to contain this vulnerability. As they point out, they only revealed a small percentage of the WordPress plugins out there (and didn’t review any themes), so there’s still a lot of work to be done to identify any other unsanitized uses of these functions. If you come across any plugins or themes that you’re using that include this vulnerability, please patch the issue yourself (if you are able to do so), and then notify the developer of the plugin or theme privately (please do not post security vulnerabilities in any public forums). The plugins listed below have all released updates fixing this issue, according to the Sucuri article.
- Jetpack
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- UpdraftPlus
- WP-E-Commerce
- WPTouch
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Give
- Multiple iThemes products including Builder and Exchange
- Broken-Link-Checker
- Ninja Forms
If you are a plugin developer, you should absolutely review your plugins to verify whether you’re using `add_query_arg()` and `remove_query_arg()` safely. It should be noted, as I was reviewing some of my plugins, that `wp_nonce_url()` does escape the URL inside, so if you’re using it in conjunction with these functions (e.g. `wp_nonce_url( add_query_arg( array( ‘arg1’ => ‘val1’ ), ‘http://www.example.org/foo/’ ) );`), you should be safe. Most other uses of `add_query_arg()` or `remove_query_arg()` need to be explicitly escaped.