The security research firm Sucuri and a team of WordPress developers have discovered a crucial flaw that can potentially put thousands if not millions of websites at risk.
The flaw they discovered resided in the misuse of the add_query_arg() and the remove_query_arg() functions. As a consequence, the vulnerability open up new doors for attackers to steal information and execute malicious commands using cross-site scripting (XSS).
According to developers and researchers, the XSS exploit arose not through the developer’s inability to correctly code their plugins, but rather it was because of the official WordPress Official Documentation (Codex).
Daniel Cid, founder and CTO of Sucuri, wrote in his blog that it was the Codex’s unclear explanation of the functions that led developers to “assume that these functions would escape the user input…when [in reality] it does not.” Such ambiguity resulted in many popular plugins to become vulnerable to the XSS exploit.
Jetpack, WordPress SEO, Google Analytics by Yoast, All In one SEO, Gravity Forms, WPTouch, and a slew of other well-known plugins all fell victim to the recently discovered exploit. There are probably plenty of plugins out there that are susceptible, and the only way to mitigate chances of becoming victims is update all plugins as soon as possible.
Sucuri wrote on its blog that WordPress admins must patch their sites ASAP, and for an added layer of protection admins should restrict their wp-admin directory to only verified (white-listed) IP addresses. Even after all this is done, the security watchdog also recommends WordPress users to regularly monitor their site logs to pick out anything that seems abnormal. Additionally, you can also install Sucuri’s plugin or Sitecheck to do the scanning for you. Lastly, site admins should add an Intrusion Prevention System (IPS) or Web Application Firewall (WAF) to block most common forms of XSS attacks.
The recent discovery of the XSS exploit says a lot about how a popular platform can succumb quickly even the most minor vulnerability. However, it also reveals that the WordPress community is full of true professionals and dedicated developers. As soon as the function vulnerability was discovered, all the major plugin developers came together to come up with a game plan to fix and deploy the patches in unison. This streamlined collaboration across such an immense network is hard to come by.
As of today, all of the major plugins mentioned above are fully patched, and all site admins have to do is sign into their CMS and apply the updates. Users that don’t see update notifications should clear their cache by going to their wp-admin/update-core.php.
With only a 3-4 days window, the WordPress developer community were able to assemble quickly to come up with patches that plugged up the XSS patch, so kudos to them! Developers that have not updated their plugins are advised to do the following:
“The short version for developers of how to fix this issue: if you’re using either add_query_arg or remove_query_arg without passing in the URL, it bases the URL it creates off of $_SERVER[‘REQUEST_URI’]. In that process, it URL decodes the parameter names in the request URI, allowing for XSS. The solution is to simply wrap the output in esc_url and you’re done. Not a hard fix, but it has to be done.”
Joost de Valk from Yoast have even offered a helping hand if developers don’t know where to start. You can contact him via @joostdevtalk and he’ll explain to you how to exploit the vulnerability and where developers should start to fix the security exploit.