Recent WordPress exploit. Update to the latest version 4.2.1 NOW!
If your website is built on WordPress, it is important to note that there have been some issues regarding XSS (Cross-site Scripting) recently with WordPress versions 4.1.1 and earlier. This vulnerability can enable anonymous users to compromise a website if you do not Update your website to the newest WordPress versions and all theme and plugins. The issue was caused by documentation in the official WordPress Codex for the popular functions add_query_arg() and remove_query_arg() not being very clear which has led to their unsecured use by developers.
This has affected many of the most popular WordPress themes and plugins. At this time there is a comprehensive review taking place to ensure that issues with the affected ones are being resolved.
According to Gary Pendergast, who is assisting in the effort to resolve this, “There is no official headcount on how many plugin’s are affected, as it’s a case-by-case things to check.” He has also indicated that some of the affected plugins are no longer having automated updates, stating “Jetpack, EDD, P3, Download Monitor and Related Posts for WP opted-in for auto updates, I didn’t keep track of who opted out.”
When was this issue discovered and who was affected?
The vulnerabilities in the themes and plugins were first discovered by Joost De Valk and shared on his Yoast site. Joost identified the issues with the themes and plugins approximately two weeks ago, a joint release from a group of developers was created with the WordPress security team. This joint release represented a shared mission to resolve these issues and share needed information with current users. All patches and updates were pushed to users within the last week.
As previously stated not all of the affected themes and plugins have been determined, we have listed several that have been identified below, however this is not a complete list.
- Gravity Forms
- WP E-Commerce
- WP Touch
- WordPress SEO
- Updraft Plus
- Google Analytics by Yoast
- All in One SEO
- Easy Digital Downloads
- My Calendar
- Ninja Forms
These just represent a few of the affected themes and plugins, so if you do not see one you have used on the list that does not mean it wasn’t affected. As more research is completed additional plugins will be identified.
It is not uncommon for issues that cause vulnerability to arise, it is more common than most people realize. What is important is that information is shared with the user, and that the information needed to protect the user from vulnerabilities is shared.We will test your website and send you the results and help you setup a calendar to prioritize your website maintenance.
What is being done to solve this issue?
The WordPress.org team has scrambled to get to the bottom of the issue and have released a critical security update in the form of WordPress 4.2.1. This update has been rolled out as automatic background update for websites which have enabled this function.
What if I am a developer and I have not been contacted?
If you have been using the information that was provided in the WordPress Codex to develop functions that would correctly escape user input, you may have added incorrect coding, which would mean you could possibly be share the XSS vulnerability as well. The inaccurate information in the Codex was created in 2009, which means it is possible that you could have entered the wrong coding. The first thing you should do is check to see if you use the functions add_query_arg() and/or the remove_query_arg() in your theme or plugin. If so, you will need to escape the output using one of the following functions:
- If you are using the add_query_arg() or remove_query_arg() in an HTTP header or location redirect you will need to use esc_url_raw() to escape the output
- If you are using it as a link in printed materials you will want to use the esc_url()
This information is clearly laid out by Gary Prendergast’s post on the make.wordpress.org page, it provides the steps that are needed to escape the output. By making these changes you can resolve the vulnerabilities that were created by the original errors.
What if I am not a developer?
If you haven’t updated your site to the latest WordPress version then you should do that first. This is critical because keeping your site up to date will help you maintain a secure site. When you are purchasing new themes and plugins make sure that you check to see if there are any additional updates you need to load.
Also, look at who has access to your site, make sure that the people that have admin access are only people you trust, and who need it. And don’t overload your site with unnecessary themes and plugins, use only want you need. This will make it easier for you to manage the security of the themes and plugins you do need. Make your passwords strong with this tool.
You should also regularly scan your site to determine any threats or issues that arise, regular scanning can prevent future problems. Ensure that you have a strong prevention system in place, while it may be costly on the front end, the savings from good prevention will pay off in the long run. New threats emerge every day and prevention is truly the best defense, even your personal site should be well protected. Think of your site as your business, and then protect it as such, take the steps to ensure that your site is protected by engaging the proper professional.
Maintenance Package with PX Media.
PX Media offers WordPress maintenance packages that will set your mind at ease. We regularly check your sites security, plugins, theme versions, and keep your WordPress up to date. We keep a recent backup of your site so if anything were to happen you will be back up in minutes. As mentioned above, many things can go wrong if you update or add a incompatible plugin or theme to a WordPress CMS. We are always prepared.
Give us a call and get a free quote.