Security Advisory: XSS Vulnerability Affecting Multiple WordPress Plugins

Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.

The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.

To date, this is the list of affected plugins:

There are probably a few more that we have not listed. If you use WordPress, we highly recommend that you go to your wp-admin dashboard and update any out of date plugins now.

This issue was first identified by Joost from Yoast in one of his plugins (he did a great write up about it as well). We worked together with him to investigate the issue and found that it likely affected a lot more plugins than just that one.

Our research team, along with a few friends (especially Joost from Yoast ) have been going through the WordPress repository for the last few days in an attempt to find and warn as many plugin developers as possible – and to help them patch the issue.

Coordinated Disclosure

This vulnerability was initially discovered last week, due to the varying degrees of severity and more importantly, the large volume of plugins affected, we coordinated a joint security release with all developers involved and the WordPress core security team. It was great team work, and a pleasant experience to see so many developers united and working together for the common good. We can happily say that all plugins have been patched, and as of this morning updates should be available to all users. (yes, everyone pushed their updates in unison 2 hours ago).

If you use WordPress, now it is your turn to update your plugins!

If you have automatic updates enabled, your site should already be patched, especially in the most severe cases.

There Are More Plugins Vulnerable

Our team only analyzed the top 300-400 plugins, far from all of them as you might imagine. So there are likely a number of plugins still vulnerable. If you’re a developer, check your code to see how you are use these two functions:

add_query_arg
remove_query_arg

Make sure you are escaping them before use. We recommend using the esc_url() (or esc_url_raw())functions with them. You should not assume that add_query_arg and remove_query_arg will escape user input. The WordPress team is providing more guidelines on how to use them here.

Update Time!

If you use any of these plugins, make sure to update them now! We will continue to investigate and look for more plugins vulnerable and keep our list here current.

This is also a good time to remind everyone that all software will have bugs and some of those bugs will inevitably lead to security vulnerabilities, such is the life we live in. This applies to plugins, themes, webservers, CMS’s and basically anything that is written by people and based on code. As much as developers try to minimize them and deploy secure coding principles, mistakes will inevitably still happen. We just have to be prepared and find ways to minimize the effect of any vulnerability in your environment; a perfect example of such an approach is what you’re seeing today with this coordinate release.

Here are some tips and tricks to help reduce your overall risk profile and help improve your security posture:

    1. Patch. Keep your sites updated. Always.

 

    1. Restrict. Restrictive access control.
      • Restrict your wp-admin directory to only white listed IP Addresses. Only give admin access to users that really need it. Do not log in as admin unless you are really doing admin work. These are some examples of restrictive access control policies that can minimize the impact of vulnerabilities in your site.
    2. Monitor. Monitor your logs.
      • They may give you clues to what is happening on your site.
    3. Reduce your scope. Only use the plugins (or themes) that your site really needs to function.

 

  1. Detect. Prevention may fail, so we recommend scan your site for indicators of compromise or outdated software.
  2. Defense in Depth. If you have an Intrusion Prevention System (IPS) or Web Application Firewall (WAF), they can help block most common forms of XSS exploits.
    • You can even try our own CloudProxy to help you with that.
    • If you like the open source route, you can try OSSEC, Snort and ModSecurity to help you achieve that.

These principles are commonly applied to most secure networks (or on any business that needs to be PCI compliant), but not many website owners think of them for their own site / environment.

These are but a few high level recommendations; we recommend going through our blog for more ideas on how to keep your sites safe and ahead of the threats.

78 comments
  1. “This vulnerability was initially discovered last week”
    This part isn’t technically true. This attack vector was first written about by Mike Jolley in 2013 on his blog. It was also the subject of a disclosure to WooCommerce on Jan 27 (which they patched the next day)

      1. I found similar issues in WP_Supercache and Simple Page ordering during summer of 2014.

        Indeed there is an unfixed issue in one of our suppliers custom WordPress components which has the same cause (they have other reflected XSS suppression, which mistakenly leads them to think it is less important than it is).

        During discussion of those issues it was noted that the documentation wasn’t ideal, I’d assumed (perhaps incorrectly) this announcement was a follow-up to those discussions.

  2. I’m guessing users of Sucuri’s WAF should be safe nonetheless from these vulnerabilities?

    1. If you think about what the WAF does it give you a huge amount of protection over sites not using any real security methods.
      The application exploits are going to be much harder and if not impossible to conduct behind a strong WAF like Sucuri CloudProxy
      (keep in mind nothing his hack proof not even the most expensive or advanced system though the risk is reduced to a extremely small amount compared to non-protected sites )
      So you do not have to scramble as others may because the Sucuri SOC has already done that for you. Now with that said it is wise to keep your software updated regardless of what you using to protect your site. My recommendation is to use both the WAF & yes update your site plugins because security extremely important and these updates will make what is extremely unlikely to occur using a web application firewall impossible to occur.

      1. A lot of WAFs will spot reflected XSS, but neither spot, or stop, attempts at enhanced social engineering via the same failure to escape. Ditto browser XSS auditing tools.

        Mozilla security folk are right that the correct approach for this is a CSP, and not to use inline JS, there is a WordPress plugin that will generate a CSP for your site, but I haven’t tested (or security tested(!!!)) it yet. But this approach too doesn’t stop the option for enhanced social engineering. Ultimately you need programmers to do it right, and to test to make sure they have.

  3. Has anyone heard of these vulnerabilities / these specific plugins actually being exploited in the wild? Haring something claiming to be related, but guessing it’s maybe existing malware on a users computer that’s just been alerted to this and trying to exploit it… still skeptical and don’t have sufficient info from that user to say definitively either way.

    1. I’ve only checked a few, but it seems quite difficult to exploit these. Not impossible, mind you, but it would rely on a very specific set of circumstances.

      1. I suppose it happens whenever something like this get’s announced, everyone blames everything on it… I think this is why my car brakes started making noise this morning.

  4. “we coordinated a joint security release with all developers involved and the WordPress core security team”

    Any chance that in future you could let us (Envato) know in advance as well, so we can work out a plan before it’s announced? Even if we can’t reach out to all authors in advance, we could work out which plugins will be affected, prepare our communications, etc. It’d be great if you could give us a heads up too! 🙂

  5. we have a few plugins in use that are ancient is there any easy way to test plugins to find out other they have this hole in them? also is there anyway to know which if any plugins have been autoupdated? thanks!

    1. @ubernaut:disqus – You have to look in the code of the plugin and see if the following is used and not escaped…

      add_query_arg
      remove_query_arg

      1. not sure if i’d be able to tell 🙁 should the “esc_url() (or esc_url_raw()” be close by to the other terms?

  6. Thanks for bringing this to our attention guys. One of the reasons open source rocks!!!!!

  7. Thanks so much to all developers involved, the WordPress core security team and Sucuri for the advisory. Daniel I posted your Blog and a link back to your site for additional info in a email to all the Austin WordPress members, some of us don’t make it to all the Meetups or check in on group’s site everyday so I thought this justified an ‘all-hands’ email. We have also posted the blog on the group’s facebook page. Thank you for being so generous with your information and reaching out to the community with this advisory, we appreciate your team’s work.

  8. Good to know! Last week my site was hacked, but the hacker got into my site through contact -form plugin, which wasn’t listed here.
    What interesting is that, the plugin was deactivated. Is it still possible? Does it mean that I have update all plugins whether they are active or not?

        1. Well, there are multiple plugins that use for contact forms. I use contact form 7. Is that the one you are talking about?

          1. I’m not sure if it was CF 7 since I didn’t use that plugin and I deleted it right away.

    1. Inactive plugins should be deleted. If you need them in the future, they can be re-installed easy enough.

  9. What about 50mm gallery? I’ve been using that to display my portfolio but lately it doesn’t allow me to add new photos into any of the galleries, even if I create a brand new one. I can upload to the media library but not transfer to the galleries. I’ve had multiple people look at it and no one can tell me what’s going on — could something have affected it that has something to do with this? I’m just not sure what to do.

        1. Check my profile and click on my website link. Just joined Disqus and haven’t read the ToS yet. I don’t want to rock the apple cart.

    1. WP has so many great things about it its hard to complain much about some issues like this

    2. You know, cause security issues don’t happen to anyone else, especially the size of WordPress. Like Google. Or Apple.

      How dare they charge such a premium to use this painfully insecure product!

  10. Great, I wish we would have had this email and information 4 days ago, now our website is down and we can’t access admin to make any updates. Thanks WordPress 🙁

        1. Yep, I contacted Bluehost and they had a step-by-step for solving the problem. And it worked! Thanks for your reply.

  11. Hi Daniel,
    Good to be here,
    Today while I was adding a twitter
    plugin suddenly my page disappeared, I mean i received a message
    message from my service providers, saying Account “Account Suspended”
    Immediately
    i contacted my friend who is taking care of such technical aspects of
    my page and he contacted the service providers and they said they found
    some suspicious plugin so they stopped it, my friend send a complaint
    ticket and am still waiting to fix the problem, hopefully in another
    hour or so it will be fixed.

    This post speaks lot of things on this aspects this link my online friend
    David Leonhardt send to me in time and is very useful to know a bit more
    about wordPress plugins.
    Thanks for sharing
    Have a great day
    ~ Philip

  12. Thanks for finding this issue and warning us!

    A question though:
    Has it been considered to fix this in the functions mentioned themselves?
    If you would filter the input within the functions, then all plugins would be safe with the update of WP without the need to fix each plugin individually.
    An argument as to that it would cost too much resources doesn’t hold as the filter has to be executed nonetheless.

    Any remarks?

    1. Exactly what I was thinking. Why wouldn’t they just fix it in WordPress instead of making sure every plugin developer updates their code.

  13. WordPress lol… is a complete shit! A bunch of messed code touched by thousands of people. Learn how to do from scratch first lazy noobs!

      1. Nope.. my custom friends maker plugin is running flawlessly lololololol

      2. Nope, just real developers that know how to create a real thing from scratch. Better than “wordpress template duplicators”.

  14. This CMS went from Rocket to a bat sprocket. So many vulnerabilities, so many bugs. I got tired to secure it. I have over 200 projects built with WP and my customers are getting tired also of spending money on security.
    Next step is to migrate to Joomla and even if will take 2 years I will get back to Joomla. Because it’s simply the best.

  15. Shit is hitting the fan. Time to change username. This blew up wide. From all over I can see them try. Country blocking might help….

  16. Once again will have to do the hard work, anyway thanks for the timely update otherwise I often discover when sites are infected.

  17. Is esc_html() sufficient to address the issue, or will only esc_url() or esc_url_raw() do the job? I’ve run into a plugin which passes add_query_arg() to wp_nonce_url(), which uses esc_html().

  18. I’m using these functions, but never echo urls – I’m outputting with wp_safe_redirect() and a _wpnonce – am I still vulnerable? I’m no hacker, so I don’t get this stuff very easily. If I am vulnerable, how does one escape output in a line like this:

    wp_safe_redirect( add_query_arg( $redirect_args, remove_query_arg( array( ‘action’, ‘_wpnonce’ ) ) ) );

  19. Heym, I’m a plugin developer and I’m using these functions in my plugin for admit panel, but I never echo urls – I’m outputting with wp_safe_redirect() and a _wpnonce – am I still vulnerable?

    I’m no hacker, so I don’t get this stuff very easily. If I am vulnerable, how does one escape output in a line like this?

    wp_safe_redirect( add_query_arg( $redirect_args, remove_query_arg( array( ‘action’, ‘_wpnonce’ ) ) ) );

  20. Seems to me like WP should have updated the core (perhaps with a wrapper function) immediately, whilst giving developers a chance to update on their end since it’s a core issue and not a 3rd party code issue.

  21. Strangely I was getting lots of malware and adware on my browsers, and I spend about 12 hours trying to get them off my browsers, just to find out it was on the web not on the browser. LOL

  22. My client’s website has been continuously crashing since April 25th, and I’ve tried a number of things to get it up and running. The .htaccess file keeps getting corrupted, and I keep replacing it with a fresh one, but that only temporarily fixes the problem. Any insight?

  23. They started showing up again on my site? I have updated all plugins? anyone got an idea what’s going on?

  24. hello

    Apply for a quick and convenient loan to pay off bills and to start a new financing your projects at a cheapest interest rate of 3%. Do contact us today via: elijahloanfirm@outlook.com with loan amount needed as our minimum loan offer is 1,000.00 to any choice of loan amount.I am certified ,registered and legit lender.You can contact me today if you are interested in getting this loan, contact me for more information about the loan process, process like the loan terms and conditions and how the loan will be transferred to you. I need your urgent response if you are interested.

    Thank you

Comments are closed.

You May Also Like