WordPress XSS vulnerability

Mike MingardWeb

A couple of days ago a major vulnerability was discovered in some of the most popular plugins for WordPress.

WordPress is the World’s most popular content management systems for websites. According to www.w3techs.com as of January 2015 23.3% of the top 10 million websites were powered by WordPress. Because of its popularity it’s a common target for hackers and software can even be purchased that can be used to target vulnerabilities.

People that look after WordPress sites have long known about the importance of keeping a close eye on the system and installing updates as soon as they become available.

The most recent alert however is related to some of the plugins that sites use to add functionality to the core WordPress system. The vast number of plugins is actually the key to some of the systems popularity.

The vulnerability itself is to do with what is called Cross-site Scripting (XSS). Without getting into too much detail it is basically a way for a hacker to insert malicious content into a site they have compromised. The severity of this obviously depends on the content being inserted. It could simply manifest in the online equivalent of graffiti, where the target website is defaced. More seriously the content could be used to capture sensitive information such as banking details or passwords.

Therefor it’s vital that any sites you are administrating are checked thoroughly. Here is a list of the more well-known plugins that are confirmed to be affected. It’s possible more will come to light in the future.

  • Jetpack
  • WordPress SEO
  • Google Analytics by Yoast
  • All In one SEO
  • Gravity Forms
  • Multiple Plugins from Easy Digital Downloads
  • UpdraftPlus
  • WP-E-Commerce
  • WPTouch
  • Download Monitor
  • Related Posts for WordPress
  • My Calendar
  • P3 Profiler
  • Give
  • Multiple iThemes products including Builder and Exchange
  • Broken-Link-Checker
  • Ninja Forms

This vulnerability once again underlines the importance of keeping not just your WordPress installation up-to-date but also any plugins you use.

If you are unsure about how to proceed or need any advice or help please contact us or call 01293 562 700.