Blog Post

WordPress XSS Vulnerability

This week was very busy in the world of WordPress: WordPress 4.2 was released yesterday, and massive potential security risk was discovered few days before exposing error in thousands of plugins to XSS vulnerability caused by lack of clarity in WordPress documentation.

For years now plugins are using add_query_arg() and remove_query_arg() functions expecting that URL they get from PHP is sanitized and escaped properly to eliminite possibility of XSS attacks. And WordPress Codex stated something like that, so plugin authors trusted that Codex entry and no one was escaping URL result from these functions. You can read more about this problem on the Sucuri blog.

So, what is the status of Dev4Press plugins? Well, in some cases both these functions were used with URL that is not from the safe source and it had to be escaped properly in several instances. This problem was found in GD Press Tools Pro, GD Custom Posts and Taxonomies Tools Pro and GD Products Center Pro. All three plugins have been updated and updates released. GD bbPress Toolbox Pro version 3.7 released earlier this week is not affected.

What is important now is not to panic and to update WordPress and update all plugins you use that might be affected. This vulnerability is not something that can be easily exploited and so far there are no know reported attacks that used this problem. The only way such attack was possible is to tailor made URL’s to individual websites based on plugins they are using and to rely on administrators to actually click the links that are affected. So, if you get strange emails with links to your own website asking you to login and click the link: don’t do it. Make sure you double check emails that are suspicious and filter them through some spam filters to check if they are valid. Gmail does a great job finding both spam and phishin emails.

Let me know if you find any issues in any of Dev4Press plugins and I will investigate and fix any problem found.

Please wait...

About the author

Milan Petrovic
Milan Petrovic

CEO and Lead developer of Dev4Press Web Development company, working with WordPress since 2008, first as a freelancer, later founding own development company. Author of more than 250 plugins and more than 20 themes.

Subscribe to Dev4Press Newsletter

Get the latest announcements, release digests, promotions and exclusive discounts, and general Dev4Press-related news straight into your mailbox.

This form collects your email (optionally your name) for the purpose of sending you newsletters. Check out our Privacy Policy for more information on how we store and manage your data. We will not send you any spam. Newsletters are sent 2 to 4 times every month.

Latest From The Blog

plugins release sweeppress pro 5 2

SweepPress Pro 5.2

Version 5.2 is a minor scope update that brings a new shared library, expanded lists of values for CRON, options, metadata detections, improvements to the CRON panel filtering, and a few fixes.
plugins relase gd topic prefix pro 4.0

GD Topic Prefix Pro 4.0 for bbPress

A brand new major update for GD Topic Prefix Pro for bbPress is released, and version 4.0 is a smaller scope update that completes all the previous development plans, updates the shared library, and more.
plugins relase gd power search pro 2 6 lite 2 0

GD Power Search Lite 2.0 & Pro 2.6 for bbPress

The fully updated Lite version overhaul is finally ready and available as version 2.0, based on fully updated Pro version 2.6, also available now. This includes various updates and improvements and the latest version of the new shared library.

SiteGround - Managed WordPress Hosting
WP Rocket - Make WordPress Load Fast in a Few Clicks