If you run WordPress–then NOW is the time to UPDATE!
Anyone using a WordPress website needs to be aware of this current security issue and take immediate action to ensure your website is secure. It has been found that a lot of Plugins and Themes are vulnerable to Cross-site Scripting (XSS) due to the misuse of two coding functions.
(the add_query_arg() and remove_query_arg() functions)
What should I do?
Well you could review the code and search for the two functions listed above. Then make sure it is properly escaped or you could just – Update, Update, Update, Patch, Patch, Patch…
You should make sure your site is updated to WordPress 4.2.1 or later and make sure your plugins and themes are also up to date. I will go further and say I strongly recommend continuing to check for updates over the next few weeks.
More details are available via the following links:
- https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
- https://wptavern.com/xss-vulnerability-affects-more-than-a-dozen-popular-wordpress-plugins
- https://poststatus.com/coordinated-plugin-updates-to-address-security-vulnerability-in-many-popular-wordpress-plugins/
- https://wordpress.org/news/2015/04/wordpress-4-2-1/