Blog Post

WordPress XSS Vulnerability

This week was very busy in the world of WordPress: WordPress 4.2 was released yesterday, and massive potential security risk was discovered few days before exposing error in thousands of plugins to XSS vulnerability caused by lack of clarity in WordPress documentation.

For years now plugins are using add_query_arg() and remove_query_arg() functions expecting that URL they get from PHP is sanitized and escaped properly to eliminite possibility of XSS attacks. And WordPress Codex stated something like that, so plugin authors trusted that Codex entry and no one was escaping URL result from these functions. You can read more about this problem on the Sucuri blog.

So, what is the status of Dev4Press plugins? Well, in some cases both these functions were used with URL that is not from the safe source and it had to be escaped properly in several instances. This problem was found in GD Press Tools Pro, GD Custom Posts and Taxonomies Tools Pro and GD Products Center Pro. All three plugins have been updated and updates released. GD bbPress Toolbox Pro version 3.7 released earlier this week is not affected.

What is important now is not to panic and to update WordPress and update all plugins you use that might be affected. This vulnerability is not something that can be easily exploited and so far there are no know reported attacks that used this problem. The only way such attack was possible is to tailor made URL’s to individual websites based on plugins they are using and to rely on administrators to actually click the links that are affected. So, if you get strange emails with links to your own website asking you to login and click the link: don’t do it. Make sure you double check emails that are suspicious and filter them through some spam filters to check if they are valid. Gmail does a great job finding both spam and phishin emails.

Let me know if you find any issues in any of Dev4Press plugins and I will investigate and fix any problem found.

Please wait...

About the author

Milan Petrovic
Milan Petrovic

CEO and Lead developer of Dev4Press Web Development company, working with WordPress since 2008, first as a freelancer, later founding own development company. Author of more than 250 plugins and more than 20 themes.

Subscribe to Dev4Press Newsletter

Get the latest announcements, release digests, promotions and exclusive discounts, and general Dev4Press-related news straight into your mailbox.


This form collects your email (optionally your name) for the purpose of sending you newsletters. Check out our Privacy Policy for more information on how we store and manage your data. We will not send you any spam. Newsletters are sent 2 to 4 times every month.

Latest From The Blog

setup packages

Introducing Setup Packages

By popular request, Dev4Press now includes setup packages that can be purchased along with the plugin licenses and include plugin setup and training with the Dev4Press Support team via Meet, Zoom, or Skype.
antispam wpforms

Fighting spam in WPForms Lite & Pro

WPForms is a very popular plugin for creating contact forms, and a free version is available in the WordPress.org repository. But both versions have very basic spam protection, and that's why coreSecurity Pro has an Antispam feature for the WPForms plugin.
gravity forms antispam results

Gravity Forms Antispam results

We have used the Gravity Forms plugin on Dev4Press for over ten years now, and having a good antispam solution is essential to keep contact form entries clean and not waste time sorting out what is spam or not.

SiteGround - Managed WordPress Hosting
Grammarly - Number 1 Writing App