Plasahosting Blogs
Web Hosting murah Indonesia

Security Advisory: XSS Vulnerability Affecting Multiple WordPress Plugins

February 28th 2016 in Artikel

Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.

The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.

To date, this is the list of affected plugins:

There are probably a few more that we have not listed. If you use WordPress, we highly recommend that you go to your wp-admin dashboard and update any out of date plugins now.

This issue was first identified by Joost from Yoast in one of his plugins (he did a great write up about it as well). We worked together with him to investigate the issue and found that it likely affected a lot more plugins than just that one.

Our research team, along with a few friends (especially Joost from Yoast ) have been going through the WordPress repository for the last few days in an attempt to find and warn as many plugin developers as possible – and to help them patch the issue.

Coordinated Disclosure

This vulnerability was initially discovered last week, due to the varying degrees of severity and more importantly, the large volume of plugins affected, we coordinated a joint security release with all developers involved and the WordPress core security team. It was great team work, and a pleasant experience to see so many developers united and working together for the common good. We can happily say that all plugins have been patched, and as of this morning updates should be available to all users. (yes, everyone pushed their updates in unison 2 hours ago).

If you use WordPress, now it is your turn to update your plugins!

If you have automatic updates enabled, your site should already be patched, especially in the most severe cases.

There Are More Plugins Vulnerable

Our team only analyzed the top 300-400 plugins, far from all of them as you might imagine. So there are likely a number of plugins still vulnerable. If you’re a developer, check your code to see how you are use these two functions:

add_query_arg
remove_query_arg

Make sure you are escaping them before use. We recommend using the esc_url() (or esc_url_raw())functions with them. You should not assume that add_query_arg and remove_query_arg will escape user input. The WordPress team is providing more guidelines on how to use them here.

Update Time!

If you use any of these plugins, make sure to update them now! We will continue to investigate and look for more plugins vulnerable and keep our list here current.

This is also a good time to remind everyone that all software will have bugs and some of those bugs will inevitably lead to security vulnerabilities, such is the life we live in. This applies to plugins, themes, webservers, CMS’s and basically anything that is written by people and based on code. As much as developers try to minimize them and deploy secure coding principles, mistakes will inevitably still happen. We just have to be prepared and find ways to minimize the effect of any vulnerability in your environment; a perfect example of such an approach is what you’re seeing today with this coordinate release.

Here are some tips and tricks to help reduce your overall risk profile and help improve your security posture:

  1. Patch. Keep your sites updated. Always.
  2. Restrict. Restrictive access control.
    • Restrict your wp-admin directory to only white listed IP Addresses. Only give admin access to users that really need it. Do not log in as admin unless you are really doing admin work. These are some examples of restrictive access control policies that can minimize the impact of vulnerabilities in your site.
  3. Monitor. Monitor your logs.
    • They may give you clues to what is happening on your site.
  4. Reduce your scope. Only use the plugins (or themes) that your site really needs to function.
  5. Detect. Prevention may fail, so we recommend scan your site for indicators of compromise or outdated software.
  6. If you like the open source route, you can try OSSEC, Snort and ModSecurity to help you achieve that.

These principles are commonly applied to most secure networks (or on any business that needs to be PCI compliant), but not many website owners think of them for their own site / environment.

These are but a few high level recommendations; we recommend going through our blog for more ideas on how to keep your sites safe and ahead of the threats.

About Daniel Cid
Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source project – OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid




required



required - won't be displayed


Your Comment:




Klik Plugins
Klik Add New
Ketik di search “easy updates manager”
Klik install di plugins easy updates manager.
Klik Activate.
Klik Plugins, pilih installed plugins
cari easy updates manager, klik configure
di dashboard plugin klik enable pada automatic plugins updates.
masih di dashboard klik enable pada automatic theme updates.
Bila diperlukan dapat mengaktipkan Major Release, tujuannya worpress akan ugprade ke versi mayor diatasnya, misalnya […]

Previous Entry

Cara setting untuk smartphone yang menggunakan sistem operasi windows phone seperti Nokia Lumia.

 

Buka Settings, Tekan email + accounts

 

Pilih add an account

Pilih advanced setup

 

 

masukan Email address dan Password
Tekan Next.

 

Pilih Internet email

 

 

Masukan Account email anda.

 

Masukan Nama anda.

 

 

masukan nama domain anda atau nama server di Incoming email server

 

 

Pilih POP3 atau IMAP4 as the Account Type, saran pilih […]

Next Entry