Same bug hits dozens of WordPress plugins, potentially affecting millions of websites

Potentially millions of WordPress websites may be exposed to hackers through a flaw that has seeped into multiple plugins through unclear recommendations in official WordPress documentation.

Security firm Securi today released a long but as yet incomplete list of WordPress plugins that share the same bug that may leave millions of websites — and their users — exposed to cross-site scripting attacks.

The flaw could allow an attacker to inject malicious code into the vulnerable site and have an otherwise benign site serve up malware to a browser.

With over one million installations, the Jetpack plugin from WordPress is one of the most popular of around 17 plugins that were patched during a coordinated effort over the past week involving plugin developers, WordPress’ security team and Securi. Other affected plugins include WordPress SEO, Google Analytics by Yoast, All in one SEO, Gravity Forms and at least a dozen other tools.

While the 17 plugins listed by Securi have been patched, Daniel Cid, Securi’s founder and CTO, said it had only analysed about 400 plugins for the bug, meaning it’s almost certain some of the more than 37,000 third-party WordPress plugins available are still vulnerable.

As for the 17 that have been patched, Cid advised users of them to update now. WordPress sites with automatic updates enabled should have received them today.

Why are so many sites affected by the same flaw?

The answer lies in WordPress’ official documentation. The bug and its link to the documentation were discovered by Joost de Valk, the developer of the Yoast Google Analytics and its WordPress SEO plugin, which were among the plugins patched this week that have over one million installations.

De Valk received a report that his SEO plugin contained an XSS flaw. After searching for how it came to be there, he discovered he’d introduced it by following recommendations in WordPress’ official documentation, known as the Codex.

Read more: Pawn Storm cyberespionage group increases activity, targets NATO

“I, Joost, created the particular problem myself and was wondering how that had gotten by me, when I figured out that both the Codex and the developer documentation on for these functions were missing the fact that you had to escape their output. In fact, the examples in them when copied would create exploitable code straight away,” the developer said.

De Valk intended to release a patch independently last Wednesday but thought better of it after guessing that others may have made the same mistake. That realisation prompted the coordinated security release over the past week.

Securi’s Cid explained that an ambiguity in the official documentation “misled many plugin developers to use them in an insecure way”, in such a way that it encouraged the misuse of the add_query_arg() and remove_query_arg(), two popular functions used by WordPress plugin developers.

“The developers assumed that these functions would escape the user input for them, when it does not. This simple detail caused many of the most popular plugins to be vulnerable to XSS,” he said.

WordPress has also released updated guidelines explaining how to correctly use the functions and fix vulnerable plugins.

“Both add_query_arg() and remove_query_arg() have an optional argument to define the base query string to use. If this argument is undefined, it will use $_SERVER['REQUEST_URI'], which is unescaped. When printed out to a page, this could be used as an XSS attack vector,” explained.

“The easiest way to fix this in your plugin is to escape the output of add_query_arg() and remove_query_arg(). When it’s being printed to a page (for example as a link), you should use esc_url(). When it’s being used in HTTP headers or as part of a HTTP request (for example, as part of a location redirect header or in a wp_remote_get() call), you should use esc_url_raw().”

WordPress hasn’t released security patches for the platform itself since November last year, however vulnerable WordPress plugins have become a popular target for hackers. Earlier this month theFBI warned that ISIS sympathisers were exploiting un-patched WordPress plugins to spread propaganda by defacing vulnerable websites.

Read more: Russian hackers uses Flash, Windows zero-day flaws


This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags vulnerable pluginsJoost de Valk#ACSCscripting attacksWebsitesbug hitsmalwareCSO AustraliaGoogle AnalyticsSecuriWordPress websites

More about CSOEnex TestLabFBIGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place