Recent WordPress exploit. Update to the latest version, 4.2.1, NOW!
If your website is built on WordPress, I want you to know that there have been recent XSS (Cross-site Scripting) issues with WordPress versions 4.1.1 and earlier. This vulnerability can enable anonymous users to compromise a website if you do not Update your website to the newest WordPress versions and all themes and plugins. The issue was caused by documentation in the official WordPress Codex for the popular functions add_query_arg() and remove_query_arg() not being very clear, which has led to their unsecured use by developers.
This has affected many of the most popular WordPress themes and plugins. A comprehensive review is currently taking place to ensure that issues with the affected ones are being resolved.
According to Gary Pendergast, who is assisting in resolving this, “There is no official headcount on how many plugins are affected, as it’s a case-by-case thing to check.” He has also indicated that some of the affected plugins no longer have automated updates, stating, “Jetpack, EDD, P3, Download Monitor and Related Posts for WP opted-in for auto-updates; I didn’t keep track of who opted out.”
When was this issue discovered, and who was affected?
Joost De Valk first discovered the vulnerabilities in the themes and plugins and shared them on his Yoast site. He identified the issues with the themes and plugins approximately two weeks ago. A group of developers created a joint release with the WordPress security team. This joint release represented a shared mission to resolve these issues and share needed information with current users. All patches and updates were pushed to users within the last week.
As I said, not all affected themes and plugins have been determined. We have listed several identified below; however, this still needs to be completed.
- Gravity Forms
- WP E-Commerce
- WP Touch
- WordPress SEO
- Updraft Plus
- Google Analytics by Yoast
- Jetpack
- All-in-One SEO
- Easy Digital Downloads
- My Calendar
- Ninja Forms
These represent a few of the affected themes and plugins, so if you do not see one you have used on the list, that does not mean it wasn’t a concern. As more research is completed, additional plugins will be identified.
Issues that cause vulnerability are not uncommon; they are more common than most people realize. What is important is that information is shared with the user and that the information needed to protect the user from vulnerabilities is shared.
What is being done to solve this issue?
The WordPress.org team has scrambled to investigate the issue and has released a critical security update, WordPress 4.2.1. This update has been rolled out as an automatic background update for websites enabling this function.
What if I am a developer and I have yet to be contacted?
Suppose you have been using the information provided in the WordPress Codex to develop functions that would correctly escape user input. In that case, you may have added incorrect coding, meaning you could also share the XSS vulnerability. The inaccurate information in the Codex was created in 2009, which means it is possible that you could have entered the wrong coding. First, please check whether you use the functions add_query_arg() and remove_query_arg() in your theme or plugin. If so, you will need to escape the output using one of the following functions:
- If you are using the add_query_arg() or remove_query_arg() in an HTTP header or location redirect, you will need to use esc_url_raw() to escape the output
- If you are using it as a link in printed materials, you will want to use the esc_url()
This information is laid out by Gary Prendergast’s post on the make.wordpress.org page, and it provides the steps needed to escape the output. By making these changes, you can resolve the vulnerabilities created by the original errors.
What if I am not a developer?
You should do that first if you haven’t updated your site to the latest WordPress version. This is critical because keeping your site up to date will help you maintain a secure site. When you purchase new themes and plugins, make sure that you check to see if there are any additional updates you need to load.
Also, look at who has access to your site. Ensure that the people with admin access are the only people you trust and who need it. Don’t overload your site with unnecessary themes and plugins; use only what you need. This will make managing the security of the themes and plugins you need easier. Make your passwords strong with this tool.
You should also regularly scan your site to see if any threats or issues arise, as regular scanning can prevent future problems. Could you make sure that you have a robust prevention system in place? While it may be costly on the front end, the savings from good prevention will pay off in the long run. New threats emerge daily, and prevention is the best defense; your site should be well protected. Think of your site as your business, then defend it. Take the steps to ensure that your site is protected by engaging the proper professional.
Maintenance Package with PX Media.
Feel free to give us a call and get a free quote.