Researchers have identified a relatively “common” cross-site scripting flaw (XSS) in some famous WordPress plugins — A coordinated plugin update has been released to address the detected cross-site scripting vulnerability.
In case you are using any of the WordPress plugins mentioned below you must install the update released today to eliminate the “common” cross-site scripting vulnerability.
Here is a list of famous WordPress plugins vulnerable to cross-site scripting security flaw:
* WordPress SEO
* Google Analytics by Yoast
* All In one SEO
* Gravity Forms
* Multiple Plugins from Easy Digital Downloads
* Download Monitor
* Related Posts for WordPress
* My Calendar
* P3 Profile
* Multiple iThemes products including Builder and Exchange
* Ninja Forms
These are some of the main plugins but there may be other plugins that are currently vulnerable to the identified cross-site vulnerability. Therefore, it is important to ensure that latest version of every plugin is being run on your device if you use WordPress. If you are unsure about all the WordPress plugins, kindly contact the plugins developer.
Why do you need to update all WordPress plugins?
Same problem exists in all WordPress plugins, that is, while using the add_query_arg() and remove_query_arg() functions the lack of escaping was observed.
These aforementioned functions are quite commonly used by WordPress developers for modifying or adding query string in URLs.
The problem occurred because the Codex documentation of the two functions wasn’t written well. Moreover, the instances used in the Codex didn’t display suitable escaping use cases.
Secure WordPress- Update the Plugins
We suggest that you update all the plugins that are currently installed on your WordPress by logging in to your WordPress dashboard via an administrator account.
These tips and tricks might help you securing your WordPress:
a. Always keep updated version of WordPress because latest versions (whether a plugin, theme or WordPress itself) are more secure and stable
b. You must monitor WordPress activity because logs aren’t only there for consuming hard disk space. You must use logs wisely by installing WP Security Audit Log plugin. It will monitor every activity happening on your WordPress. It will also analyze the logs at regular intervals to ensure legit activity
c. You must endorse the rule of restricting access because using least privileges limits the plugin’s, user’s or theme’s access to every activity. Thus, don’t ever allow any components more privileges than required
d. Always install wisely and what you need. This means, install those plugins only that you need. Also, always delete themes, third party components and plugins that are not in use
e. Subscribing to WordPress Security Bloggers also helps because you always get the latest news about WP security. WP Bloggers is basically a newsfeed that features the highly popular WP security websites and sources that report WP security issues.
Click here to read more on previous critical vulnerabilities found in famous WordPress plugins