This week was very busy in the world of WordPress: WordPress 4.2 was released yesterday, and massive potential security risk was discovered few days before exposing error in thousands of plugins to XSS vulnerability caused by lack of clarity in WordPress documentation.
For years now plugins are using add_query_arg() and remove_query_arg() functions expecting that URL they get from PHP is sanitized and escaped properly to eliminite possibility of XSS attacks. And WordPress Codex stated something like that, so plugin authors trusted that Codex entry and no one was escaping URL result from these functions. You can read more about this problem on the Sucuri blog.
So, what is the status of Dev4Press plugins? Well, in some cases both these functions were used with URL that is not from the safe source and it had to be escaped properly in several instances. This problem was found in GD Press Tools Pro, GD Custom Posts and Taxonomies Tools Pro and GD Products Center Pro. All three plugins have been updated and updates released. GD bbPress Toolbox Pro version 3.7 released earlier this week is not affected.
What is important now is not to panic and to update WordPress and update all plugins you use that might be affected. This vulnerability is not something that can be easily exploited and so far there are no know reported attacks that used this problem. The only way such attack was possible is to tailor made URL’s to individual websites based on plugins they are using and to rely on administrators to actually click the links that are affected. So, if you get strange emails with links to your own website asking you to login and click the link: don’t do it. Make sure you double check emails that are suspicious and filter them through some spam filters to check if they are valid. Gmail does a great job finding both spam and phishin emails.
Let me know if you find any issues in any of Dev4Press plugins and I will investigate and fix any problem found.
