A number of WordPress plugins are vulnerable to cross-site scripting (XSS) due to the incorrect use of the ‘add_query_arg()' and ‘remove_query_arg()' functions, according to researchers with Sucuri.
Several plugins are vulnerable, including Jetpack, WordPress SEO, Google Analytics, All In One SEO Pack, Gravity Forms, WP eCommerce, and Download Monitor, a Monday post said.
The issue was identified last week and Sucuri - along with Joost de Valk, of Yoast - worked with many plugin developers to ensure patches were available before the problem was disclosed, the post indicated.
In a Monday post, de Valk wrote that “if you're using either add_query_arg or remove_query_arg without passing in the URL, it bases the URL it creates off of $_SERVER['REQUEST_URI']. In that process, it URL decodes the parameter names in the request URI, allowing for XSS. The solution is to simply wrap the output in esc_url and you're done.”