UPDATE:
WordPress version 4.2, named after jazz musician Bud Powell has been released to the public as of April 23rd, 2015.
Following the above version update, WordPress 4.2.1 is now available, which is a critical security release for all previous versions. It is highly recommended that you update your sites immediately.
Critical WordPress Security Update
WordPress just released a critical security update that fixes an XSS cross-site scripting vulnerability. WordPress 4.1.2 security update will patch this issue. This was first discovered by the WordPress community. WordPress has also addressed three other issues with security update:
- Preventing files with bad names to be uploaded in WordPress 4.1
- Fixing a very limited cross-site scripting vulnerability could be used as part of a social engineering attack in WordPress 3.9
- Fixing SQL injection vulnerability that affected some plugins
List Of Plugins Affected That Need To Be Updated
The issue originated from a documentation mistake that led developers to use a couple of WordPress functions that could potentially be used in an attack. There is no known instance of it actually happening though.
“Due to a now-fixed ambiguity in the documentation for the add_query_arg()
andremove_query_arg()
functions, many plugins were using them incorrectly, allowing for potential XSS attack vectors in their code.”
Sucuri, a security firm has listed out plugins that they found vulnerable to this flaw. If you use any of these plugins, please update them immediately.
- Jetpack
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- UpdraftPlus
- WP-E-Commerce
- WPTouch
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Give
- Multiple iThemes products including Builder and Exchange
- Broken-Link-Checker
- Ninja Forms
As a safety measure, login to your WordPress admin dashboard and update all the out of date plugins.
Coordinated Response To Release The WordPress Security Update
The advantage of having an active community around WordPress is that people are constantly contributing at various capacities. There has been a coordinated effort between the WordPress security team, Sucuri, Joost (author of Yoast WordPress SEO plugin) and many others. This has led to a quick identification of plugins that are affected and continual effort to scan more of them. An open and proactive community is always good for the ecosystem.
WordPress User: What You Need To Do
First things first, update your WordPress by logging in. If you don’t know how to, get in touch with your developer and ask him/her to update it for you immediately. Then update all the plugins that are out of date, specially if you use any of the plugins listed above.
To make your WordPress website safer, Sucuri suggests taking the following steps:
- Keep your websites updated to the latest versions always
- Restrict access to admin areas only to known people and use a whitelist of IP addresses.
- Only use plugins that are necessary. Unused or old plugins should be removed from your setup. This reduces your exposure.
- Use third party security scanning services to monitor and detect potential misuse or outdated plugins.
- Check with your hosting provider what security measures they’ve applied to your server.
WordPress Plugin Developer: What You Need To Do
Here how one plugin developer fixed the security issue for his plugin.
Safe add_query_var and remove_query_var
You need to sanitize the output with esc_url. Joost has written a blog post on this security release addressing how this can be fixed if you’re a plugin developer.
"if you’re using eitheradd_query_arg
orremove_query_arg
without passing in the URL, it bases the URL it creates off of$_SERVER['REQUEST_URI']
.In that process, it URL decodes the parameter names in the request URI, allowing for XSS. The solution is to simply wrap the output inesc_url
and you’re done"