Many very popular plugins for SEOs, including WordPress SEO, Google Analytics by Yoast, All In one SEO and WPTouch. WPTouch is particularly noteworthy as many webmasters used it to get their websites ready for Google’s mobile friendly ranking algo.
Securi disclosed the issue and the known affected plugins.
This particular exploit could be done on the front end in some plugins while others required admin login. But the issue actually can be attributed to unclear information in the WordPress Codex that led to developers inadvertantly leaving the XSS vulnerability. Yoast also talks about the issue in their plugin, and how it was discovered and responsibly disclosed to them.
Here is the full list of known WordPress plugins affected by this issue.
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Multiple iThemes products including Builder and Exchange
- Ninja Forms
What is interesting about this case is that all these plugin developers worked together in order to push the updates at the same time, which reduced the chance hackers would see the first one updated and could go and exploit the other plugins with the same vulnerability that hadn’t been updated yet.
Users should update the above plugins immediately. It is also a good idea to update all plugins, as some smaller plugins could have this vulnerability but weren’t identified as being affected.
It is always best to update plugins immediately when a new one is available or have it done automatically. While this was publicized, often developers will quietly update to close exploits without detailing why, leaving many webmasters with vulnerable plugins which haven’t been updated.
Latest posts by Jennifer Slegg (see all)
- Google Quality Rater Guidelines Update: New Introduction, Rater Bias & Political Affiliations - December 6, 2019
- Google Updates Quality Rater Guidelines: Reputation for News Sites; Video Content Updates; Quality for Information Sites - September 13, 2019
- Google Makes Major Changes to NoFollow, Adds Sponsored & UGC Tags - September 10, 2019
- Google Updates Quality Rater Guidelines Targeting E-A-T, Page Quality & Interstitials - May 17, 2019
- Google Local Service Ads Display Pricing Estimates for Specific Locations - August 31, 2018