[Security !!!] Wordpress Emergency Plugin Updates

[kafirbaz12]

Wordpress Emergency Plugin Updates:

A new version of the Wordpress plugin "" () has been released. A recent hack was found in older versions of this plugin which allows an attacker to perform Cross-site Scripting (XSS) with no authentication required.

"Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.

The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS."

To date, this is the list of affected plugins:

Jetpack
WordPress SEO
Google Analytics by Yoast
All In one SEO
Gravity Forms
Multiple Plugins from Easy Digital Downloads
UpdraftPlus
WP-E-Commerce
WPTouch
Download Monitor
Related Posts for WordPress
My Calendar
P3 Profiler
Give
Multiple iThemes products including Builder and Exchange
Broken-Link-Checker
Ninja Forms

See Details here:

https://blog.sucuri.net/2015/04/security...ugins.html

[danguy]

Thanks for the heads up! + rep'd

[savaskampas]

it is alot of more them ...:D some times boot kali linuks you gana see how meni holes wp got :D

[kafirbaz12]

You are right. This one is considered as a major one!

(04-22-2015 05:17 AM)savaskampas Wrote:  it is alot of more them ...:D some times boot kali linuks you gana see how meni holes wp got :D

[storm180]

Gravity forms is a big one, make sure you have version 1.9.5.

[kafirbaz12]

Yes
You have the latest All in One SEO Pack Pro (2.3.6.2) here:

http://bestblackhatforum.com/Thread-GET-...ro-2-3-6-2

(04-22-2015 05:38 AM)storm180 Wrote:  Gravity forms is a big one, make sure you have version 1.9.5.