The emergency release of WordPress 4.0.1 and other recent code hacks exposed as many issues as they fixed. There is an underlying vulnerability in the code used by WordPress and many of its plugins that could allow injection of malicious Javascript code. Now plugin updates are coming out furiously fast. I’m collecting a list of them in this post, along with other resources so you can check to see if your site is in danger.
Update: More plugins were added on 1/5/15.
Keep in mind that this is a short list of all plugins that have XSS issues. These are the plugins I believe most of my audience is using.
Plugins with XSS Update Fixes
XSS stands for Cross Site Scripting, which is the type of security vulnerability. I’ll be adding to this list as more plugins with issues are found and fixed.
Another WordPress Classifieds Plugin – XSS in error message. Fixed in version 3.3.2
Broken Link Checker – XSS in exclusion list under user option of which links to check. Fixed in version 1.10.2. The plugin was temporarily removed from the WordPress Plugin Repository due to cross script security issue and restored once it was fixed.
Contact Form 7 – XSS in module that connects it to Akismet. Fixed in version 4.0.2
Download Manager – XXS issue via uploads. Has been fixed in version 2.7.5
iTwitter – allowed remote attackers to inject malicious script codes. Fixed in version 0.04.
Live Forms – form input fields not sanitized. Fixed in version 1.2.0
Nextend Facebook Connect – no details given other than XSS fix in version 1.5.2
Post to Twitter – required admin to be tricked into following a link while logged in. Fixed in version 0.7.
SEO Friendly Images – auto adds title and alt attributes to images. Issue fixed in version 3.0.4
SEO Redirection – referrer link was not validated in redirection history. Fixed in version 2.2.
SimpleFlickr – required admin to be tricked into following a link while logged in. Fixed in version 3.0.3
Sliding Social Icons – slides the icons into the screen. Was possible to change the plugin’s admin settings. Fixed in version 1.61
Timed Popup – admin settings stored unsanitized. No fix available.
WP-FB-AutoConnect – allows readers to log into your blog via their Facebook account. Fixed in version 4.0.6
WP-Statistics WordPress – XSS issue on the links on the Statistics > Visitors screen. Fixed in version 8.4.
WP Symposium – multiple XSS issues. Fixed in version 14.11
WooCommerce – same XSS issue as WordPress comment link issue. Fixed in version 2.2.2
WordFence – XSS issue in the whois.php file. fixed in version 5.1.F
WordPress Google Analytics by Yoast – XSS via non sanitized user-supplied input. Fixed in version 5.1.3
WordPress SEO by Yoast – fixed possible cross scripting issue with encoded entities in a post title. This could potentially allow an author on your site to execute JavaScript when you visit that posts edit page, allowing them to do rights expansion or otherwise. Fixed in version 1.7.1.
More Plugins and More Security Holes
These are some of the more popular plugins I’ve found listed to date with the XSS security issue. Please do let us know of other plugins with the issue. No need to provide a link. I’ll find it.
And this list only covers the XSS issue. There are several other plugins with SQL injection issues right now too. That affects the database.
Site Scanner
There are several scanners available for both XSS vulnerable code as well as SQL injection checks. But, they are not exactly easy to run. Most have to be downloaded, installed, and configured. And many are best for testing specific apps rather than whole websites.
If you know of a good way to scan a site, or its elements, that’s easy for non-geeks to use, please tell us about it in the comments.
WordPress Comments at Risk Too
Here’s a bit more on what was behind the recent WordPress 4.0.1 update that has a different sort of vulnerability.
Javascript in the native WordPress comments was the main focus of the 4.0.1 patch.
Here’s how the vulnerability works. A spammer leaves a comment with a link that has a script in it. That gets it flagged and the comment is held in moderation. When the site owner goes to the moderation dashboard, the script is executed. It can perform any operations on the site that an admin can. And, it can help a hacker gain access to the host server.
See more on this in the Full Disclosure Statement by security researcher Jouko Pynnonen.
How to Protect Against It
The WordPress 4.0.1 patch was supposed to take care of it. But if you want to take it to a new level, read on.
If you go to Settings > Discussion > Comment Moderation (shown below) you’ll see that there is no setting to disable links completely. The only thing you can do is hold a comment in moderation, and that’s exactly how the hacker gets you to execute the code.
I found some coding options, but no good plugins to block spammers from leaving links in the first place. That includes ways to take out the field for their website.
If you know of one, leave us a comment. And hey, don’t use a link, okay? Just give us the name of it, we’ll Google it.
And if you’re using a premium comment system, like CommentLuv, that is honey to spammers, are you thinking of getting rid of it now?
It’s a Long Way From Over
New attacks on old code are just getting started. Please do keep checking in to see the latest.
Best Places to Follow
BlogAid Tips Tuesday Podcast and post – you can read and/or listen to weekly site success tips on a variety of topics including WordPress, plugins, SEO, content marketing, and more.
MaAnna on G+ – that’s where I hangout most, and where I release the most up to date news on plugins and security.
so i have a question – should i be using that Comment Moderation thing – and if so, how many links should i put in the box? Thanks!
I don’t mean to be vague, but it depends. Most folks who comment on BlogAid don’t need to include links. So, I definitely want to moderate any that do have them because they are most likely spam. If your audience needs to share links regularly, then moderating them just slows up the conversation and makes more work for you on the admin side.
Hello,
THank you for the information. Can you just disable links immediately when they are typed in?