ASEOHosting Warns WordPress Users Of XSS Vulnerability In Dozens Of WordPress Plugins

Share Article

ASEOHosting has warned WordPress users that they should immediately update all out-of-date plugins. A recently discovered vulnerability that has the potential to allow Cross Site Scripting attacks has been discovered in at least fifteen and potentially dozens of the most popular WordPress plugins.

aseohosting
"...the existence of the vulnerability needs to be exposed as widely as possible so that WordPress users can apply the patches by updating."

ASEOHosting, a provider of premium multiple IP hosting, has warned WordPress users that they should immediately update all out-of-date plugins. A recently discovered vulnerability that has the potential to allow Cross Site Scripting attacks has been discovered in at least fifteen and potentially dozens of the most popular WordPress plugins, including Yoast's WordPress SEO plugin, Jetpack, Gravity Forms, and Easy Digital Downloads.

"We host thousands of WordPress sites, and we want to be sure that everyone knows about this vulnerability and the steps they need to take to mitigate the risk," commented ASEOHosting’s Vice President of Customer Relations, Daniel Page, "We're incredibly impressed how the WordPress development community has cooperated to create patches and coordinate disclosure, but the existence of the vulnerability needs to be exposed as widely as possible so that WordPress users can apply the patches by updating."

The vulnerability, was first reported by Joost de Valk, creator of the hugely popular WordPress SEO plugin, who worked in concert with the WordPress security company Sucuri and numerous other WordPress developers to coordinate disclosure and deploy patches that fix the problem.

The vulnerability is the result of a misuse of two core WordPress functions. The documentation for those functions was misleading, influencing developers to believe that URLs created with them would be escaped — have potentially insecure code within the URLs rendered harmless. In fact, the URLs are not escaped, which has the potential to allow a hacker to feed malicious code into WordPress installations. It's possible that by crafting a URL with malicious code and embedding it on a web page, logged in users could be tricked into clicking on the link, which would result in the code being run on a WordPress site.

The fix for this vulnerability is simple: upgrade all plugins that are out-of-date. In many cases, WordPress's automatic upgrades will have fixed the problem, especially in the most egregious cases, but some plugin developers — including Joost de Valk — have decided not to apply the updates automatically and some WordPress users will have deactivated automatic updates. The best way to be sure is to apply all outstanding WordPress plugin upgrades immediately.

###

About ASEOHosting:

ASEOHosting is the leader in providing all types of SEO Hosting, including Shared SEO Hosting, Dedicated SEO Hosting, US Dedicated SEO Servers, and EU Dedicated SEO Servers, based in Orlando, FL, and Detroit, MI, owned and operated by Ahosting, Inc., supplying hosting services that are truly beyond imagination. Since 2002, ASEOHosting has established one of the web’s premier solutions for reseller web hosting, multiple IP hosting, dedicated servers, and VPS hosting. For more information, visit http://www.aseohosting.com.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Daniel Page
ASEOhosting
+1 (800) 362-4678
Email >
@ahostingdotnet
since: 11/2010
Follow >
Visit website