Warning! XSS vulnerability in WordPress and a set plug-ins.

Thursday, 23 April 2015 11:31

April 20, 2015 was publicized critical vulnerability allows an XSS attack on a website that is subject to a huge number of plugins for Wordpress. 

The vulnerability is related to the misuse of the developers of plugins and features add_query_arg remove_query_arg, which were not well documented in the documentation Wordpress, plugin developers that introduced misleading and resulted in the feasibility of the attack.

Specialists of the company Sucuri were tested about 300 of the most popular plugins Wordpress, many of them are affected, it was confirmed. We will publish the list below. Developers data plug-ins already released an update covering the vulnerability. However, we want to note that this list is not complete, it is clear that much more vulnerable plug-ins, just as long as they might, no one tested.

List of plug-ins in which the vulnerability has been confirmed and developers released an update:

  • - Jetpack
  • - WordPress SEO
  • - Google Analytics by Yoast
  • - All In one SEO
  • - Gravity Forms
  • - Multiple Plugins from Easy Digital Downloads
  • - UpdraftPlus
  • - WP-E-Commerce
  • - WPTouch
  • - Download Monitor
  • - Related Posts for WordPress
  • - My Calendar
  • - P3 Profiler
  • - Give
  • - Multiple iThemes products including Builder and Exchange
  • - Broken-Link-Checker
  • - Ninja Forms

It was also released updated and Wordpress.

We would like to note that the most likely in the near future there will be exploits designed to crack sites using this vulnerability, and immediately begin mass hacking.

We strongly recommend that you update your site on Wordpress, and all plug-ins (not just those that are on the list) to the latest version and check whether used in plug-ins, which you will not find the update function add_query_arg and remove_query_arg. If they are present, it is likely that these plug-ins are also vulnerable.

If you need help - you can contact our support team.

Leave a comment

  • Payment
  • visa
  • mastercard
  • qiwi
  • webmoney
  • yandex money
  • sberbank
  • mts bank
  • zpayment
  • liqpay
  • alfabank white
Copyright © 2012 - 2024 WebPatron Ltd. All rights reserved.