Popular WordPress plugins vulnerable to XSS

At least 17 WordPress plugins – and likely even more of them – have been found vulnerable to cross-site scripting (XSS) flaws that could allow attackers to inject malicious code in the browsers of the sites’ visitors.

A particular vulnerability, first flagged by Johannes Schmitt of Scrutinizer CI, has been first privately disclosed by Sucuri researchers and Yoast developer Joost de Valk to the developers of the affected plugins, including Jetpack, WordPress SEO, WPTouch, My Calendar, and others. Yoast’s own SEO plugin and Google Analytics plugin were also vulnerable.

The vulnerability stems from the misuse of the add_query_arg() and remove_query_arg() functions, often used by developers to modify and add query strings to URLs within WordPress.

“The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way,” explained Sucuri’s Daniel Cid. “The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.”

Since then, the Codex and developer documents have been amended to close the flaw.

Sucuri researchers have also analyzed the top 300-400 WP plugins, and found 17 that sport the vulnerability (check out the list here). Since then, roughly half of these developers have already issued updates that patch the hole.

This list is by no means complete, and developers are urged to check their code for the two functions and to make sure they are escaping them before use.

WordPress site admins would do well to update the plugins they use.