• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Security Advisory: XSS Vulnerability Affecting Multiple WordPress Plugins

April 20, 2015Daniel Cid

3.4k
SHARES
FacebookTwitterSubscribe

Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.

The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.

To date, this is the list of affected plugins:

  • Jetpack
  • WordPress SEO
  • Google Analytics by Yoast
  • All In one SEO
  • Gravity Forms
  • Multiple Plugins from Easy Digital Downloads
  • UpdraftPlus
  • WP-E-Commerce
  • WPTouch
  • Download Monitor
  • Related Posts for WordPress
  • My Calendar
  • P3 Profiler
  • Give
  • Multiple iThemes products including Builder and Exchange
  • Broken-Link-Checker
  • Ninja Forms

There are probably a few more that we have not listed. If you use WordPress, we highly recommend that you go to your wp-admin dashboard and update any out of date plugins now.

This issue was first identified by Joost from Yoast in one of his plugins (he did a great write up about it as well). We worked together with him to investigate the issue and found that it likely affected a lot more plugins than just that one.

Our research team, along with a few friends (especially Joost from Yoast ) have been going through the WordPress repository for the last few days in an attempt to find and warn as many plugin developers as possible – and to help them patch the issue.

Coordinated Disclosure

This vulnerability was initially discovered last week, due to the varying degrees of severity and more importantly, the large volume of plugins affected, we coordinated a joint security release with all developers involved and the WordPress core security team. It was great team work, and a pleasant experience to see so many developers united and working together for the common good. We can happily say that all plugins have been patched, and as of this morning updates should be available to all users. (yes, everyone pushed their updates in unison 2 hours ago).

If you use WordPress, now it is your turn to update your plugins!

If you have automatic updates enabled, your site should already be patched, especially in the most severe cases.

There Are More Plugins Vulnerable

Our team only analyzed the top 300-400 plugins, far from all of them as you might imagine. So there are likely a number of plugins still vulnerable. If you’re a developer, check your code to see how you are use these two functions:

add_query_arg
remove_query_arg

Make sure you are escaping them before use. We recommend using the esc_url() (or esc_url_raw())functions with them. You should not assume that add_query_arg and remove_query_arg will escape user input. The WordPress team is providing more guidelines on how to use them here.

Update Time!

If you use any of these plugins, make sure to update them now! We will continue to investigate and look for more plugins vulnerable and keep our list here current.

This is also a good time to remind everyone that all software will have bugs and some of those bugs will inevitably lead to security vulnerabilities, such is the life we live in. This applies to plugins, themes, webservers, CMS’s and basically anything that is written by people and based on code. As much as developers try to minimize them and deploy secure coding principles, mistakes will inevitably still happen. We just have to be prepared and find ways to minimize the effect of any vulnerability in your environment; a perfect example of such an approach is what you’re seeing today with this coordinate release.

Here are some tips and tricks to help reduce your overall risk profile and help improve your security posture:

    1. Patch. Keep your sites updated. Always.

 

    1. Restrict. Restrictive access control.
      • Restrict your wp-admin directory to only white listed IP Addresses. Only give admin access to users that really need it. Do not log in as admin unless you are really doing admin work. These are some examples of restrictive access control policies that can minimize the impact of vulnerabilities in your site.
    2. Monitor. Monitor your logs.
      • They may give you clues to what is happening on your site.
    3. Reduce your scope. Only use the plugins (or themes) that your site really needs to function.

 

  1. Detect. Prevention may fail, so we recommend scan your site for indicators of compromise or outdated software.
    • Our plugin and Sitecheck can do that for free for you.
  2. Defense in Depth. If you have an Intrusion Prevention System (IPS) or Web Application Firewall (WAF), they can help block most common forms of XSS exploits.
    • You can even try our own CloudProxy to help you with that.
    • If you like the open source route, you can try OSSEC, Snort and ModSecurity to help you achieve that.

These principles are commonly applied to most secure networks (or on any business that needs to be PCI compliant), but not many website owners think of them for their own site / environment.

These are but a few high level recommendations; we recommend going through our blog for more ideas on how to keep your sites safe and ahead of the threats.

3.4k
SHARES
FacebookTwitterSubscribe

Categories: Security Advisory, Website Security, WordPress SecurityTags: WordPress Plugins and Themes

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. ChrisChristoff

    April 20, 2015

    “This vulnerability was initially discovered last week”
    This part isn’t technically true. This attack vector was first written about by Mike Jolley in 2013 on his blog. It was also the subject of a disclosure to WooCommerce on Jan 27 (which they patched the next day)

    • Claudio Sanches

      April 20, 2015

      Very well remembered!

      • Simon Waters (Surevine)

        April 21, 2015

        I found similar issues in WP_Supercache and Simple Page ordering during summer of 2014.

        Indeed there is an unfixed issue in one of our suppliers custom WordPress components which has the same cause (they have other reflected XSS suppression, which mistakenly leads them to think it is less important than it is).

        During discussion of those issues it was noted that the documentation wasn’t ideal, I’d assumed (perhaps incorrectly) this announcement was a follow-up to those discussions.

  2. RB

    April 20, 2015

    I’m guessing users of Sucuri’s WAF should be safe nonetheless from these vulnerabilities?

    • Thomas Zickell

      April 20, 2015

      If you think about what the WAF does it give you a huge amount of protection over sites not using any real security methods.
      The application exploits are going to be much harder and if not impossible to conduct behind a strong WAF like Sucuri CloudProxy
      (keep in mind nothing his hack proof not even the most expensive or advanced system though the risk is reduced to a extremely small amount compared to non-protected sites )
      So you do not have to scramble as others may because the Sucuri SOC has already done that for you. Now with that said it is wise to keep your software updated regardless of what you using to protect your site. My recommendation is to use both the WAF & yes update your site plugins because security extremely important and these updates will make what is extremely unlikely to occur using a web application firewall impossible to occur.

      • Simon Waters (Surevine)

        April 21, 2015

        A lot of WAFs will spot reflected XSS, but neither spot, or stop, attempts at enhanced social engineering via the same failure to escape. Ditto browser XSS auditing tools.

        Mozilla security folk are right that the correct approach for this is a CSP, and not to use inline JS, there is a WordPress plugin that will generate a CSP for your site, but I haven’t tested (or security tested(!!!)) it yet. But this approach too doesn’t stop the option for enhanced social engineering. Ultimately you need programmers to do it right, and to test to make sure they have.

  3. Todd

    April 20, 2015

    Thanks! Heading over to update now!

  4. Viktor Nagornyy

    April 20, 2015

    Good job guys! We’ve upgraded all our clients. Thanks for heads up.

  5. Jon

    April 20, 2015

    Has anyone heard of these vulnerabilities / these specific plugins actually being exploited in the wild? Haring something claiming to be related, but guessing it’s maybe existing malware on a users computer that’s just been alerted to this and trying to exploit it… still skeptical and don’t have sufficient info from that user to say definitively either way.

    • Otto

      April 21, 2015

      I’ve only checked a few, but it seems quite difficult to exploit these. Not impossible, mind you, but it would rely on a very specific set of circumstances.

      • Jon

        April 21, 2015

        I suppose it happens whenever something like this get’s announced, everyone blames everything on it… I think this is why my car brakes started making noise this morning.

  6. Stephen Cronin

    April 21, 2015

    “we coordinated a joint security release with all developers involved and the WordPress core security team”

    Any chance that in future you could let us (Envato) know in advance as well, so we can work out a plan before it’s announced? Even if we can’t reach out to all authors in advance, we could work out which plugins will be affected, prepare our communications, etc. It’d be great if you could give us a heads up too! 🙂

    • Pharmokan

      April 22, 2016

      offer a bounty program and that just might happen

  7. Ben

    April 21, 2015

    we have a few plugins in use that are ancient is there any easy way to test plugins to find out other they have this hole in them? also is there anyway to know which if any plugins have been autoupdated? thanks!

    • Phil

      April 21, 2015

      @ubernaut:disqus – You have to look in the code of the plugin and see if the following is used and not escaped…

      add_query_arg
      remove_query_arg

      • Ben

        April 21, 2015

        not sure if i’d be able to tell 🙁 should the “esc_url() (or esc_url_raw()” be close by to the other terms?

        • Phil

          April 21, 2015

          Yes! The esc_url should wrap the other…..

          Esc_url(add_query_arg())

          • Ben

            April 21, 2015

            ok thanks for the help!

  8. TJF

    April 21, 2015

    Is this the same xss vulnerability being patched in WP 4.1.2?

    • Phil

      April 21, 2015

      @TJF – Yes and no… You have to update your plugins as well!

  9. Joey-@-Transforia

    April 21, 2015

    Thanks for bringing this to our attention guys. One of the reasons open source rocks!!!!!

  10. Peter La Fond

    April 21, 2015

    Are themes also affected ? If so, is there a list?

  11. SandiChevalier-Batik

    April 21, 2015

    Thanks so much to all developers involved, the WordPress core security team and Sucuri for the advisory. Daniel I posted your Blog and a link back to your site for additional info in a email to all the Austin WordPress members, some of us don’t make it to all the Meetups or check in on group’s site everyday so I thought this justified an ‘all-hands’ email. We have also posted the blog on the group’s facebook page. Thank you for being so generous with your information and reaching out to the community with this advisory, we appreciate your team’s work.

  12. Iryna

    April 22, 2015

    Good to know! Last week my site was hacked, but the hacker got into my site through contact -form plugin, which wasn’t listed here.
    What interesting is that, the plugin was deactivated. Is it still possible? Does it mean that I have update all plugins whether they are active or not?

    • fghfghgggg

      April 22, 2015

      which plugin exacty ?

      • Iryna

        April 22, 2015

        Contact Form plugin

        • Awesome Bryner

          April 23, 2015

          Well, there are multiple plugins that use for contact forms. I use contact form 7. Is that the one you are talking about?

          • Iryna

            April 24, 2015

            I’m not sure if it was CF 7 since I didn’t use that plugin and I deleted it right away.

    • One Million Your Moms

      June 13, 2015

      Inactive plugins should be deleted. If you need them in the future, they can be re-installed easy enough.

  13. Laura

    April 23, 2015

    What about 50mm gallery? I’ve been using that to display my portfolio but lately it doesn’t allow me to add new photos into any of the galleries, even if I create a brand new one. I can upload to the media library but not transfer to the galleries. I’ve had multiple people look at it and no one can tell me what’s going on — could something have affected it that has something to do with this? I’m just not sure what to do.

    • Marc Hall

      April 23, 2015

      Contact me and I will have a look and let you know what I find.

      • Laura

        April 23, 2015

        Marc, I’d love to, how do I contact you?

        • Marc Hall

          April 23, 2015

          Check my profile and click on my website link. Just joined Disqus and haven’t read the ToS yet. I don’t want to rock the apple cart.

        • Marc Hall

          April 23, 2015

          Ok ToS doesn’t prohibit us from posting contact info – marc@hallmarcwebsites.com

  14. aaanativearts

    April 23, 2015

    wp-all-import-pro was also hacked

  15. Emanuele Manco

    April 23, 2015

    Yay, another security issue. Kudos WordPress!

    • David Hunt

      April 26, 2015

      WP has so many great things about it its hard to complain much about some issues like this

    • dasdas

      April 26, 2015

      Thats why I still used blogger lol

    • LerndGud

      April 27, 2015

      You know, cause security issues don’t happen to anyone else, especially the size of WordPress. Like Google. Or Apple.

      How dare they charge such a premium to use this painfully insecure product!

    • One Million Your Moms

      June 13, 2015

      …back under the bridge…

  16. Primož Cigler

    April 23, 2015

    Thank you for the update, I’m patching our themes now.

  17. Lucky Bhumkar

    April 23, 2015

    Very Valuable information..! Thanks, Daniel Cid for sharing..

  18. mcassara

    April 24, 2015

    Damn… my sites are infected…

  19. Aspensam

    April 24, 2015

    Great, I wish we would have had this email and information 4 days ago, now our website is down and we can’t access admin to make any updates. Thanks WordPress 🙁

    • Julie Mockerman

      April 25, 2015

      Mine, too. What can we do about this if we can’t get into the site?

      • minimalmammal

        April 27, 2015

        … access the server?

        • Julie Mockerman

          April 27, 2015

          Yep, I contacted Bluehost and they had a step-by-step for solving the problem. And it worked! Thanks for your reply.

        • One Million Your Moms

          June 13, 2015

          Forest for the trees, I guess.

    • One Million Your Moms

      June 13, 2015

      WordPress is not responsible for the security of your website.

  20. April Edwards

    April 24, 2015

    Thank you so much for the thorough explanation of this security issue. I’ll be immediately updating all my client’s sites.

  21. Philip Verghese Ariel

    April 25, 2015

    Hi Daniel,
    Good to be here,
    Today while I was adding a twitter
    plugin suddenly my page disappeared, I mean i received a message
    message from my service providers, saying Account “Account Suspended”
    Immediately
    i contacted my friend who is taking care of such technical aspects of
    my page and he contacted the service providers and they said they found
    some suspicious plugin so they stopped it, my friend send a complaint
    ticket and am still waiting to fix the problem, hopefully in another
    hour or so it will be fixed.

    This post speaks lot of things on this aspects this link my online friend
    David Leonhardt send to me in time and is very useful to know a bit more
    about wordPress plugins.
    Thanks for sharing
    Have a great day
    ~ Philip

  22. LYF Solutions

    April 25, 2015

    Great blog and thanks for letting us know.

  23. Craig Grella

    April 25, 2015

    Nice work – as always, thanks for the warnings!

  24. DeBAAT

    April 26, 2015

    Thanks for finding this issue and warning us!

    A question though:
    Has it been considered to fix this in the functions mentioned themselves?
    If you would filter the input within the functions, then all plugins would be safe with the update of WP without the need to fix each plugin individually.
    An argument as to that it would cost too much resources doesn’t hold as the filter has to be executed nonetheless.

    Any remarks?

    • Bill Addison

      May 4, 2015

      Exactly what I was thinking. Why wouldn’t they just fix it in WordPress instead of making sure every plugin developer updates their code.

  25. José de Almeida

    April 26, 2015

    WordPress lol… is a complete shit! A bunch of messed code touched by thousands of people. Learn how to do from scratch first lazy noobs!

    • Avalonica

      May 3, 2015

      Find it difficult making friends, José ?

      • José de Almeida

        May 7, 2015

        Nope.. my custom friends maker plugin is running flawlessly lololololol

      • José de Almeida

        June 24, 2015

        Nope, just real developers that know how to create a real thing from scratch. Better than “wordpress template duplicators”.

  26. URAGANU .

    April 26, 2015

    This CMS went from Rocket to a bat sprocket. So many vulnerabilities, so many bugs. I got tired to secure it. I have over 200 projects built with WP and my customers are getting tired also of spending money on security.
    Next step is to migrate to Joomla and even if will take 2 years I will get back to Joomla. Because it’s simply the best.

  27. rosepleinair

    April 26, 2015

    Shit is hitting the fan. Time to change username. This blew up wide. From all over I can see them try. Country blocking might help….

  28. Ashif Zubair

    April 27, 2015

    Very pleased to know that all devs united for a common good!

  29. Yogesh B

    April 27, 2015

    Once again will have to do the hard work, anyway thanks for the timely update otherwise I often discover when sites are infected.

  30. sdunham

    April 27, 2015

    Is esc_html() sufficient to address the issue, or will only esc_url() or esc_url_raw() do the job? I’ve run into a plugin which passes add_query_arg() to wp_nonce_url(), which uses esc_html().

  31. Andres Hunger

    April 28, 2015

    Great blog and thanks for letting us know.

  32. Gerald

    April 28, 2015

    Another plugin that is affected: “stops-core-theme-and-plugin-updates”

    • One Million Your Moms

      June 13, 2015

      LOL, even the name of that one sounds fishy.

  33. Joe Melberg

    April 28, 2015

    I’m using these functions, but never echo urls – I’m outputting with wp_safe_redirect() and a _wpnonce – am I still vulnerable? I’m no hacker, so I don’t get this stuff very easily. If I am vulnerable, how does one escape output in a line like this:

    wp_safe_redirect( add_query_arg( $redirect_args, remove_query_arg( array( ‘action’, ‘_wpnonce’ ) ) ) );

  34. Joe Melberg

    April 29, 2015

    Heym, I’m a plugin developer and I’m using these functions in my plugin for admit panel, but I never echo urls – I’m outputting with wp_safe_redirect() and a _wpnonce – am I still vulnerable?

    I’m no hacker, so I don’t get this stuff very easily. If I am vulnerable, how does one escape output in a line like this?

    wp_safe_redirect( add_query_arg( $redirect_args, remove_query_arg( array( ‘action’, ‘_wpnonce’ ) ) ) );

  35. Justin L

    May 4, 2015

    Seems to me like WP should have updated the core (perhaps with a wrapper function) immediately, whilst giving developers a chance to update on their end since it’s a core issue and not a 3rd party code issue.

  36. Olawale Daniel

    May 4, 2015

    Thank you for research and instant notification.

  37. besnikus

    May 6, 2015

    Strangely I was getting lots of malware and adware on my browsers, and I spend about 12 hours trying to get them off my browsers, just to find out it was on the web not on the browser. LOL

  38. Rachel

    May 8, 2015

    My client’s website has been continuously crashing since April 25th, and I’ve tried a number of things to get it up and running. The .htaccess file keeps getting corrupted, and I keep replacing it with a fresh one, but that only temporarily fixes the problem. Any insight?

  39. besnikus

    May 9, 2015

    They started showing up again on my site? I have updated all plugins? anyone got an idea what’s going on?

  40. mhay biarulla

    June 12, 2015

    hello

    Apply for a quick and convenient loan to pay off bills and to start a new financing your projects at a cheapest interest rate of 3%. Do contact us today via: elijahloanfirm@outlook.com with loan amount needed as our minimum loan offer is 1,000.00 to any choice of loan amount.I am certified ,registered and legit lender.You can contact me today if you are interested in getting this loan, contact me for more information about the loan process, process like the loan terms and conditions and how the loan will be transferred to you. I need your urgent response if you are interested.

    Thank you

  41. Leon

    July 8, 2015

    amazing….

  42. Akhilesh

    January 28, 2016

    Very True ….!!

  43. Jeffrey Jones

    April 9, 2016

    how can I test my site to see if it’s vulnerable?

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.