Widespread WordPress Plugins and Themes Security Vulnerability

I’d like to bring to your attention to an XSS vulnerability affecting multiple WordPress plugins and themes. The vulnerability is caused by a common code pattern used in WordPress plugins and themes.

Please review:

https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html

More details are available via the following links:

https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
http://wptavern.com/xss-vulnerability-affects-more-than-a-dozen-popular-wordpress-plugins
https://poststatus.com/coordinated-plugin-updates-to-address-security-vulnerability-in-many-popular-wordpress-plugins/

Re: Widespread WordPress Plugins and Themes Security Vulnerability

A good reason to pare back the number of plugins we use on our blogs.

Re: Widespread WordPress Plugins and Themes Security Vulnerability

Thanks for the headsup. I’m pretty sure mine are all upgraded, but I’ll be double checking here in a few minutes! Also, for those that aren’t having their blogs auto-update, you NEED to install the latest version YESTERDAY … there is a huge vulnerability in the comment scripting.

If your WordPress site allows users to post comments via the WordPress commenting system, you’re at risk. An attacker could leverage a bug in the way comments are stored in the site’s database to insert malicious scripts on your site, thus potentially allowing them to infect your visitors with malware, inject SEO spam or even insert backdoor in the site’s code if the code runs when in a logged-in administrator browser.
Read more here

Re: Widespread WordPress Plugins and Themes Security Vulnerability

[QUOTE=Bec;158740]Thanks for the headsup. I’m pretty sure mine are all upgraded, but I’ll be double checking here in a few minutes! Also, for those that aren’t having their blogs auto-update, you NEED to install the latest version YESTERDAY … there is a huge vulnerability in the comment scripting.
Read more here[/QUOTE]

Any idea if this effects blogs running disqus comments system?

Re: Widespread WordPress Plugins and Themes Security Vulnerability

I can’t remember if disqus plugin is in the list, but irrespective, it effects all blogs running any of the over 400 plugins, so update to 4.2.1 as soon as possible, and update any themes and plugins that need updating. ThemeForest also sent out a notice, noting that many themes are also at risk, and that their authors will be rushing out fixes. As well as plugin authors for CodeCanyon.

Re: Widespread WordPress Plugins and Themes Security Vulnerability

Ah brilliant, I have already done all the updates :slight_smile:

Re: Widespread WordPress Plugins and Themes Security Vulnerability

It might be worth people checking their mobile versions, nothing is working on mine since WP updated today.
WPTouch isn’t loading posts unless I disable slider, videos not displaying, polls not functioning. I am at a loss as to what has happened, the only change in this time has been the WP update.

Re: Widespread WordPress Plugins and Themes Security Vulnerability

[QUOTE=conran;158751]It might be worth people checking their mobile versions, nothing is working on mine since WP updated today.
WPTouch isn’t loading posts unless I disable slider, videos not displaying, polls not functioning. I am at a loss as to what has happened, the only change in this time has been the WP update.[/QUOTE]

I had quite a few plugin problems at first, once the updates started comming things started working better then @-)

Re: Widespread WordPress Plugins and Themes Security Vulnerability

Well, even deactivating all plugins and leaving WPTouch I still have (guessing here) JQueery issues, ever since the WP update. Menus, videos and polls are all fucked up.

Finally got videos kind of showing (half way off the page) by changing the video setting from responsive to fixed size, but still menus and polls are not responding at all no matter what I do.

Re: Widespread WordPress Plugins and Themes Security Vulnerability

I can’t see it being effected, Disqus is a third-party system totally separate from WordPress. It should be safe.