Warning! XSS vulnerability in WordPress and a set plug-ins.

Blog Categories

Basket of services

Company news

Thursday, 24 December 2015: Merry Christmas and Happy New Year!
Monday, 20 April 2015: Accepting payments through payment system Webmoney and Z-Payment restored
Saturday, 18 April 2015: Unavailable accepting payments via Webmoney and Z-Payment
Thursday, 05 March 2015: To order new services are available - DNS hosting and secondary DNS server
Wednesday, 25 February 2015: Added new ways to pay for services

Recent blog posts

Warning! XSS vulnerability in WordPress and a set plug-ins.

Thursday, 23 April 2015 11:31

Network Security

April 20, 2015 was publicized critical vulnerability allows an XSS attack on a website that is subject to a huge number of plugins for Wordpress.

The vulnerability is related to the misuse of the developers of plugins and features add_query_arg remove_query_arg, which were not well documented in the documentation Wordpress, plugin developers that introduced misleading and resulted in the feasibility of the attack.

Specialists of the company Sucuri were tested about 300 of the most popular plugins Wordpress, many of them are affected, it was confirmed. We will publish the list below. Developers data plug-ins already released an update covering the vulnerability. However, we want to note that this list is not complete, it is clear that much more vulnerable plug-ins, just as long as they might, no one tested.

List of plug-ins in which the vulnerability has been confirmed and developers released an update:

- Jetpack
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- UpdraftPlus
- WP-E-Commerce
- WPTouch
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Give
- Multiple iThemes products including Builder and Exchange
- Broken-Link-Checker
- Ninja Forms

It was also released updated and Wordpress.

We would like to note that the most likely in the near future there will be exploits designed to crack sites using this vulnerability, and immediately begin mass hacking.

We strongly recommend that you update your site on Wordpress, and all plug-ins (not just those that are on the list) to the latest version and check whether used in plug-ins, which you will not find the update function add_query_arg and remove_query_arg. If they are present, it is likely that these plug-ins are also vulnerable.

If you need help - you can contact our support team.

Tagged under:

Read: 4659 times