Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.
The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.
To date, this is the list of affected plugins:
- Jetpack
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- UpdraftPlus
- WP-E-Commerce
- WPTouch
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Give
- Multiple iThemes products including Builder and Exchange
- Broken-Link-Checker
- Ninja Forms
There are probably a few more that we have not listed. If you use WordPress, we highly recommend that you go to your wp-admin dashboard and update any out of date plugins now.
This issue was first identified by Joost from Yoast in one of his plugins (he did a great write up about it as well). We worked together with him to investigate the issue and found that it likely affected a lot more plugins than just that one.
Our research team, along with a few friends (especially Joost from Yoast ) have been going through the WordPress repository for the last few days in an attempt to find and warn as many plugin developers as possible – and to help them patch the issue.
Coordinated Disclosure
This vulnerability was initially discovered last week, due to the varying degrees of severity and more importantly, the large volume of plugins affected, we coordinated a joint security release with all developers involved and the WordPress core security team. It was great team work, and a pleasant experience to see so many developers united and working together for the common good. We can happily say that all plugins have been patched, and as of this morning updates should be available to all users. (yes, everyone pushed their updates in unison 2 hours ago).
If you use WordPress, now it is your turn to update your plugins!
If you have automatic updates enabled, your site should already be patched, especially in the most severe cases.
There Are More Plugins Vulnerable
Our team only analyzed the top 300-400 plugins, far from all of them as you might imagine. So there are likely a number of plugins still vulnerable. If you’re a developer, check your code to see how you are use these two functions:
add_query_arg remove_query_arg
Make sure you are escaping them before use. We recommend using the esc_url() (or esc_url_raw())functions with them. You should not assume that add_query_arg and remove_query_arg will escape user input. The WordPress team is providing more guidelines on how to use them here.
Update Time!
If you use any of these plugins, make sure to update them now! We will continue to investigate and look for more plugins vulnerable and keep our list here current.
This is also a good time to remind everyone that all software will have bugs and some of those bugs will inevitably lead to security vulnerabilities, such is the life we live in. This applies to plugins, themes, webservers, CMS’s and basically anything that is written by people and based on code. As much as developers try to minimize them and deploy secure coding principles, mistakes will inevitably still happen. We just have to be prepared and find ways to minimize the effect of any vulnerability in your environment; a perfect example of such an approach is what you’re seeing today with this coordinate release.
Here are some tips and tricks to help reduce your overall risk profile and help improve your security posture:
- Patch. Keep your sites updated. Always.
- Restrict. Restrictive access control.
- Restrict your wp-admin directory to only white listed IP Addresses. Only give admin access to users that really need it. Do not log in as admin unless you are really doing admin work. These are some examples of restrictive access control policies that can minimize the impact of vulnerabilities in your site.
- Monitor. Monitor your logs.
- They may give you clues to what is happening on your site.
- Reduce your scope. Only use the plugins (or themes) that your site really needs to function.
- Detect. Prevention may fail, so we recommend scan your site for indicators of compromise or outdated software.
- Our plugin and Sitecheck can do that for free for you.
- Defense in Depth. If you have an Intrusion Prevention System (IPS) or Web Application Firewall (WAF), they can help block most common forms of XSS exploits.
- You can even try our own CloudProxy to help you with that.
- If you like the open source route, you can try OSSEC, Snort and ModSecurity to help you achieve that.
These principles are commonly applied to most secure networks (or on any business that needs to be PCI compliant), but not many website owners think of them for their own site / environment.
These are but a few high level recommendations; we recommend going through our blog for more ideas on how to keep your sites safe and ahead of the threats.
“This vulnerability was initially discovered last week”
This part isn’t technically true. This attack vector was first written about by Mike Jolley in 2013 on his blog. It was also the subject of a disclosure to WooCommerce on Jan 27 (which they patched the next day)
Very well remembered!
I found similar issues in WP_Supercache and Simple Page ordering during summer of 2014.
Indeed there is an unfixed issue in one of our suppliers custom WordPress components which has the same cause (they have other reflected XSS suppression, which mistakenly leads them to think it is less important than it is).
During discussion of those issues it was noted that the documentation wasn’t ideal, I’d assumed (perhaps incorrectly) this announcement was a follow-up to those discussions.
I’m guessing users of Sucuri’s WAF should be safe nonetheless from these vulnerabilities?
If you think about what the WAF does it give you a huge amount of protection over sites not using any real security methods.
The application exploits are going to be much harder and if not impossible to conduct behind a strong WAF like Sucuri CloudProxy
(keep in mind nothing his hack proof not even the most expensive or advanced system though the risk is reduced to a extremely small amount compared to non-protected sites )
So you do not have to scramble as others may because the Sucuri SOC has already done that for you. Now with that said it is wise to keep your software updated regardless of what you using to protect your site. My recommendation is to use both the WAF & yes update your site plugins because security extremely important and these updates will make what is extremely unlikely to occur using a web application firewall impossible to occur.
A lot of WAFs will spot reflected XSS, but neither spot, or stop, attempts at enhanced social engineering via the same failure to escape. Ditto browser XSS auditing tools.
Mozilla security folk are right that the correct approach for this is a CSP, and not to use inline JS, there is a WordPress plugin that will generate a CSP for your site, but I haven’t tested (or security tested(!!!)) it yet. But this approach too doesn’t stop the option for enhanced social engineering. Ultimately you need programmers to do it right, and to test to make sure they have.
Thanks! Heading over to update now!
Good job guys! We’ve upgraded all our clients. Thanks for heads up.
Has anyone heard of these vulnerabilities / these specific plugins actually being exploited in the wild? Haring something claiming to be related, but guessing it’s maybe existing malware on a users computer that’s just been alerted to this and trying to exploit it… still skeptical and don’t have sufficient info from that user to say definitively either way.
I’ve only checked a few, but it seems quite difficult to exploit these. Not impossible, mind you, but it would rely on a very specific set of circumstances.
I suppose it happens whenever something like this get’s announced, everyone blames everything on it… I think this is why my car brakes started making noise this morning.
“we coordinated a joint security release with all developers involved and the WordPress core security team”
Any chance that in future you could let us (Envato) know in advance as well, so we can work out a plan before it’s announced? Even if we can’t reach out to all authors in advance, we could work out which plugins will be affected, prepare our communications, etc. It’d be great if you could give us a heads up too! 🙂
offer a bounty program and that just might happen
we have a few plugins in use that are ancient is there any easy way to test plugins to find out other they have this hole in them? also is there anyway to know which if any plugins have been autoupdated? thanks!
@ubernaut:disqus – You have to look in the code of the plugin and see if the following is used and not escaped…
add_query_arg
remove_query_arg
not sure if i’d be able to tell 🙁 should the “esc_url() (or esc_url_raw()” be close by to the other terms?
Yes! The esc_url should wrap the other…..
Esc_url(add_query_arg())
ok thanks for the help!
Is this the same xss vulnerability being patched in WP 4.1.2?
@TJF – Yes and no… You have to update your plugins as well!
Thanks for bringing this to our attention guys. One of the reasons open source rocks!!!!!
Are themes also affected ? If so, is there a list?
Thanks so much to all developers involved, the WordPress core security team and Sucuri for the advisory. Daniel I posted your Blog and a link back to your site for additional info in a email to all the Austin WordPress members, some of us don’t make it to all the Meetups or check in on group’s site everyday so I thought this justified an ‘all-hands’ email. We have also posted the blog on the group’s facebook page. Thank you for being so generous with your information and reaching out to the community with this advisory, we appreciate your team’s work.
Good to know! Last week my site was hacked, but the hacker got into my site through contact -form plugin, which wasn’t listed here.
What interesting is that, the plugin was deactivated. Is it still possible? Does it mean that I have update all plugins whether they are active or not?
which plugin exacty ?
Contact Form plugin
Well, there are multiple plugins that use for contact forms. I use contact form 7. Is that the one you are talking about?
I’m not sure if it was CF 7 since I didn’t use that plugin and I deleted it right away.
Inactive plugins should be deleted. If you need them in the future, they can be re-installed easy enough.
What about 50mm gallery? I’ve been using that to display my portfolio but lately it doesn’t allow me to add new photos into any of the galleries, even if I create a brand new one. I can upload to the media library but not transfer to the galleries. I’ve had multiple people look at it and no one can tell me what’s going on — could something have affected it that has something to do with this? I’m just not sure what to do.
Contact me and I will have a look and let you know what I find.
Marc, I’d love to, how do I contact you?
Check my profile and click on my website link. Just joined Disqus and haven’t read the ToS yet. I don’t want to rock the apple cart.
Ok ToS doesn’t prohibit us from posting contact info – marc@hallmarcwebsites.com
wp-all-import-pro was also hacked
Yay, another security issue. Kudos WordPress!
WP has so many great things about it its hard to complain much about some issues like this
Thats why I still used blogger lol
You know, cause security issues don’t happen to anyone else, especially the size of WordPress. Like Google. Or Apple.
How dare they charge such a premium to use this painfully insecure product!
…back under the bridge…
Thank you for the update, I’m patching our themes now.
Very Valuable information..! Thanks, Daniel Cid for sharing..
Damn… my sites are infected…
Great, I wish we would have had this email and information 4 days ago, now our website is down and we can’t access admin to make any updates. Thanks WordPress 🙁
Mine, too. What can we do about this if we can’t get into the site?
… access the server?
Yep, I contacted Bluehost and they had a step-by-step for solving the problem. And it worked! Thanks for your reply.
Forest for the trees, I guess.
WordPress is not responsible for the security of your website.
Thank you so much for the thorough explanation of this security issue. I’ll be immediately updating all my client’s sites.
Hi Daniel,
Good to be here,
Today while I was adding a twitter
plugin suddenly my page disappeared, I mean i received a message
message from my service providers, saying Account “Account Suspended”
Immediately
i contacted my friend who is taking care of such technical aspects of
my page and he contacted the service providers and they said they found
some suspicious plugin so they stopped it, my friend send a complaint
ticket and am still waiting to fix the problem, hopefully in another
hour or so it will be fixed.
This post speaks lot of things on this aspects this link my online friend
David Leonhardt send to me in time and is very useful to know a bit more
about wordPress plugins.
Thanks for sharing
Have a great day
~ Philip
Great blog and thanks for letting us know.
Nice work – as always, thanks for the warnings!
Thanks for finding this issue and warning us!
A question though:
Has it been considered to fix this in the functions mentioned themselves?
If you would filter the input within the functions, then all plugins would be safe with the update of WP without the need to fix each plugin individually.
An argument as to that it would cost too much resources doesn’t hold as the filter has to be executed nonetheless.
Any remarks?
Exactly what I was thinking. Why wouldn’t they just fix it in WordPress instead of making sure every plugin developer updates their code.
WordPress lol… is a complete shit! A bunch of messed code touched by thousands of people. Learn how to do from scratch first lazy noobs!
Find it difficult making friends, José ?
Nope.. my custom friends maker plugin is running flawlessly lololololol
Nope, just real developers that know how to create a real thing from scratch. Better than “wordpress template duplicators”.
This CMS went from Rocket to a bat sprocket. So many vulnerabilities, so many bugs. I got tired to secure it. I have over 200 projects built with WP and my customers are getting tired also of spending money on security.
Next step is to migrate to Joomla and even if will take 2 years I will get back to Joomla. Because it’s simply the best.
Shit is hitting the fan. Time to change username. This blew up wide. From all over I can see them try. Country blocking might help….
Very pleased to know that all devs united for a common good!
Once again will have to do the hard work, anyway thanks for the timely update otherwise I often discover when sites are infected.
Is esc_html() sufficient to address the issue, or will only esc_url() or esc_url_raw() do the job? I’ve run into a plugin which passes add_query_arg() to wp_nonce_url(), which uses esc_html().
Great blog and thanks for letting us know.
Another plugin that is affected: “stops-core-theme-and-plugin-updates”
LOL, even the name of that one sounds fishy.
I’m using these functions, but never echo urls – I’m outputting with wp_safe_redirect() and a _wpnonce – am I still vulnerable? I’m no hacker, so I don’t get this stuff very easily. If I am vulnerable, how does one escape output in a line like this:
wp_safe_redirect( add_query_arg( $redirect_args, remove_query_arg( array( ‘action’, ‘_wpnonce’ ) ) ) );
Heym, I’m a plugin developer and I’m using these functions in my plugin for admit panel, but I never echo urls – I’m outputting with wp_safe_redirect() and a _wpnonce – am I still vulnerable?
I’m no hacker, so I don’t get this stuff very easily. If I am vulnerable, how does one escape output in a line like this?
wp_safe_redirect( add_query_arg( $redirect_args, remove_query_arg( array( ‘action’, ‘_wpnonce’ ) ) ) );
Seems to me like WP should have updated the core (perhaps with a wrapper function) immediately, whilst giving developers a chance to update on their end since it’s a core issue and not a 3rd party code issue.
Thank you for research and instant notification.
Strangely I was getting lots of malware and adware on my browsers, and I spend about 12 hours trying to get them off my browsers, just to find out it was on the web not on the browser. LOL
My client’s website has been continuously crashing since April 25th, and I’ve tried a number of things to get it up and running. The .htaccess file keeps getting corrupted, and I keep replacing it with a fresh one, but that only temporarily fixes the problem. Any insight?
They started showing up again on my site? I have updated all plugins? anyone got an idea what’s going on?
hello
Apply for a quick and convenient loan to pay off bills and to start a new financing your projects at a cheapest interest rate of 3%. Do contact us today via: elijahloanfirm@outlook.com with loan amount needed as our minimum loan offer is 1,000.00 to any choice of loan amount.I am certified ,registered and legit lender.You can contact me today if you are interested in getting this loan, contact me for more information about the loan process, process like the loan terms and conditions and how the loan will be transferred to you. I need your urgent response if you are interested.
Thank you
amazing….
Very True ….!!
how can I test my site to see if it’s vulnerable?