Misunderstanding the use of WordPress functions add_query_arg() and remove_query_arg() functions have made WordPress Plugins and Themes vulnerable to Cross-site Scripting (XSS). Which plugins and Themes that are affected are not clear but many common used plugins are affected.
Up to now these plugins are affected:
- All In one SEO
- Download Monitor
- Google Analytics by Yoast
- Gravity Forms
- Multiple iThemes products including Builder and Exchange
- Multiple Plugins from Easy Digital Downloads
- My Calendar
- Ninja Forms
- P3 Profiler
- Related Posts for WordPress
- WordPress SEO
What lead to the XSS vulnerability is probably the misunderstanding of how the add_query_arg() and remove_query_arg() functions should be used according to WordPress. These functions are commonly used to add or modify the querystring in WordPress.
If you develop WordPress Themes or Plugins the advice is to check your usage of the two functions
Always escape unsecure inputs to a function before use, for example using the esc_url() parameter. Use esc_url_raw() if you need more control. This could be done in WordPress core itself but now it seems not to be done which lead to the vulnerability. I guess this is why WordPress in panic sent out their latest update to 4.2.1.
Security issues will always exist in programs even if developers spend many hours of finetuning and looking over their code. Programming is one of the hardest work you can have and not as simple as you might think. To create secure code demands very high knowledge and experience, together with good testing practice of the final program.
Another tip is to use a more secure web hosting and not just use a common web hosting, running on Linux servers. Also use a lot of security solutions like, Snort, Tripwire, NFW, other Intrusion Prevention System (IPS) or Web Application Firewall (WAF) and other special made security solutions crafted for the use of WordPress Sites.
These principles are commonly applied to most secure networks for example to be PCI compliant but not many website owners think of them for their own site / environment. If you want a more Secure Web Hosting use Webbfabriken Secure Web Hosting.