Topic: XSS Vulnerability Affecting Multiple WordPress Plugins

XSS Vulnerability Affecting Multiple WordPress Plugins

mcpeanut
Participant

@mcpeanut

9 years, 7 months ago

hi all i dont know how widespread this is and if it effects anything buddypress related, if this has been posted in the last week or so i apologize as i havent been around, this was just brought to my attention via an email from code canyone where i have a few premium plugins

THE BELOW ARTICLE WAS PUBLISHED ON THE 20TH OF APRIL AT SECURITY ADVISOR

Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.

The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.

To date, this is the list of affected plugins:

Jetpack
WordPress SEO
Google Analytics by Yoast
All In one SEO
Gravity Forms
Multiple Plugins from Easy Digital Downloads
UpdraftPlus
WP-E-Commerce
WPTouch
Download Monitor
Related Posts for WordPress
My Calendar
P3 Profiler
Give
Multiple iThemes products including Builder and Exchange
Broken-Link-Checker
Ninja Forms

this is a link to the article
https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html

Viewing 6 replies - 1 through 6 (of 6 total)

danbp
Participant

@danbp

9 years, 7 months ago

Thank you for the information.
BP dev’s already handled this issue.

BuddyPress 2.2.3 – Security Release

Latest updates avaible:
WordPress 4.2 & BuddyPress 2.2.3.1 & bbPress 2.5.7

As usual, you’re invited to update your install as soon a security version is avaible.

mcpeanut
Participant

@mcpeanut

9 years, 7 months ago

ahh cool dan i wasnt aware as ive been offline for the past week or so traveling bud, cheers for the link.

mcpeanut
Participant

@mcpeanut

9 years, 7 months ago

@danbp hey dan their seems to also be a very big risk with the wordpress commenting system that i have come across from various wordpress expert groups on fb today, and i believe that wordpress are refusing communication on this matter, please take a look at these 2 links, this could affect anyone using the commenting system with buddypress installs too.

below is a fix that has been found

https://blog.anantshri.info/temp_fix_wordpress_comment_xss

and this is a video showing you the 0 day exploit being executed used and tested.

video doesn’t seem to format here properly i suggest doing a youtube search for it

danbp
Participant

@danbp

9 years, 7 months ago

Thanks @mcpeanut,

By default, WordPress is automatically updated when a security release is commited.
All my sites are already patched.
Probably yours also. 😉

If you’re a network user, sub sites ARE NOT automatically updated, so you have to check this manually. Normally this is mentionned on your network dashboard.

mcpeanut
Participant

@mcpeanut

9 years, 7 months ago

@danbp yes im always bang up to date pal, it just isnt worth the risk i was just posting this as a warning really to those who dont seem to think they have to update and the video may just make them think twice 🙂

Henry Wright
Moderator

@henrywright

9 years, 7 months ago

Hey @mcpeanut!

The pandemonium is rarely related to WordPress core or BuddyPress core (the core devs usually issue a fix before we even know there’s a problem). So it’s a great idea to keep up to date as you’ve already mentioned.

The tricky part arrives when we look at plugins. Whilst WordPress does everything it can to make plugin developers aware of security issues, fixes are ultimately down to the plugin author. It’s always a good idea to use plugins that are activity maintained and supported. The same could be said for themes actually.