XSS Vulnerability in Hundreds of WordPress Plugins

A few days ago, information was published about multiple vulnerabilities in many popular WordPress plugins — Security Advisory: XSS Vulnerability Affecting Multiple WordPress Plugins. The vulnerability arises from the incorrect use of several functions in the WordPress API, making sites susceptible to XSS attacks.

Affected Plugins

As shown by Sucuri’s research, the vulnerability is present in many popular plugins:

• Jetpack
• WordPress SEO
• Google Analytics by Yoast
• All In One SEO
• Gravity Forms
• Multiple Plugins from Easy Digital Downloads
• UpdraftPlus
• WP-E-Commerce
• WPTouch
• Download Monitor
• Related Posts for WordPress
• My Calendar
• P3 Profiler
• Give
• Broken Link Checker
• Ninja Forms

Please note — this is not an exhaustive list. The total number of affected plugins is in the hundreds.

What Should Be Done?

1. Ensure that you have a backup configured and working correctly. You can use our service or another option (for example, check out our guide on storing backups in Dropbox). Regularly check your backups’ integrity!
2. Update WordPress and plugins. Check for updates daily — especially in the next 1-2 weeks as developers release patched versions.
3. Update WordPress themes. WP themes may also utilize vulnerable code that can be exploited for XSS attacks.
4. Make it harder for hackers — use a WAF (e.g., mod_security for Apache, naxsi for Nginx, and similar solutions).
5. Restrict access to the wp-admin directory to specific IP addresses from which site administration is conducted.
6. Remove unused plugins and themes. If any haven’t been updated by the developer for a long time, consider alternatives.

Additional Resources

• - Security Advisory: XSS Vulnerability Affecting Multiple WordPress Plugins
• - XSS Vulnerability Affects More Than a Dozen Popular WordPress Plugins
• - Coordinated Plugin Updates to Address Security Vulnerability