For the past week, security firm Sucuri has worked with the WordPress core security team to address a cross site scripting vulnerability discovered in more than a dozen popular WordPress plugins. The vulnerability stems from the improper use of the add_query_arg() and remove_query_arg() functions. Inaccurate information within the WordPress Codex lead many developers to assume these functions would properly escape user input.

The Codex pages were created in 2009, but earlier this year, Samuel ‘Otto’ Wood updated both pages to include information on using esc_url(). Inaccurate information has existed on both pages for more than five years, leading hundreds, if not thousands, of developers to use insecure code in plugins.

The vulnerability was first reported by Joost de Valk who has an excellent post describing the issue. Sucuri worked with Yoast and discovered the problem affects a lot more plugins than just WordPress SEO. Sucuri has audited the top 300-400 plugins in the directory and found at least 15 plugins to contain vulnerable code.

With over 37,000 plugins in the directory, 400 is just scratching the surface. Gary Pendergast, who is helping to manage the coordinated effort says, he doesn’t have an official headcount of the number of plugins affected. “There is no official head count on how many plugins are affected, as it’s a case-by-case thing to check.” Some of the vulnerable plugins within the list have opted-out of automatic updates. “Jetpack, EDD, P3, Download Monitor and Related Posts for WP opted-in to auto updates. I didn’t keep track of who opted out,” he said.

So far, there is no evidence that suggests the vulnerability is being actively exploited. It’s extremely important that plugin authors revisit your code to make sure you’re not improperly using the add_query_arg() and remove_query_arg() functions. The Make WordPress Plugins site has a post that provides in-depth information on how to check and fix your plugins.

This Vulnerability is Not New

Mike Jolley, lead developer for WooThemes, published a post in 2013 on the use of WordPress’ URL manipulation functions. The post features add_query_arg() and remove_query_arg(), but near the end of the post, Jolley reminds developers to escape everything.

This caught me out a few weeks ago when I found out (the hard way) that WordPress doesn’t automatically sanitize the current URL if you don’t pass in your own. You need to use esc_url during output: echo esc_url( add_query_arg( $key, $value ) ); If you forget to do this, a malicious URL, for example one containing some JavaScript, could potentially be output and executed on your page. Escape all the things to be safe!

Battle Testing the Automatic Updater

To date, this is the largest coordinated effort between an outside party, the WordPress core and security teams, and plugin developers. According to Sucuri, affected plugin developers banded together for the common good. Pendergast confirmed that the auto updates only contain code needed to fix the security vulnerability. This should limit the possibility of auto updates breaking sites.

The plugins listed above have already been patched and updates should be available to all users. Browse to Dashboard – Updates to check for and install any available updates.