Many WordPress Plugins With XSS Exploit, WordPress SEO, All in One SEO & Google Analytics by Yoast Affected

Many very popular plugins for SEOs, including WordPress SEO, Google Analytics by Yoast, All In one SEO and WPTouch. WPTouch is particularly noteworthy as many webmasters used it to get their websites ready for Google’s mobile friendly ranking algo.

Securi disclosed the issue and the known affected plugins.

This particular exploit could be done on the front end in some plugins while others required admin login. But the issue actually can be attributed to unclear information in the WordPress Codex that led to developers inadvertantly leaving the XSS vulnerability. Yoast also talks about the issue in their plugin, and how it was discovered and responsibly disclosed to them.

Here is the full list of known WordPress plugins affected by this issue.

Jetpack

WordPress SEO

Google Analytics by Yoast

All In one SEO

Gravity Forms

Multiple Plugins from Easy Digital Downloads

UpdraftPlus

WP-E-Commerce

WPTouch

Download Monitor

Related Posts for WordPress

My Calendar

P3 Profiler

Give

Multiple iThemes products including Builder and Exchange

Broken-Link-Checker

Ninja Forms

What is interesting about this case is that all these plugin developers worked together in order to push the updates at the same time, which reduced the chance hackers would see the first one updated and could go and exploit the other plugins with the same vulnerability that hadn’t been updated yet.

Users should update the above plugins immediately. It is also a good idea to update all plugins, as some smaller plugins could have this vulnerability but weren’t identified as being affected.

This is the latest in a string of recently discovered WordPress plugin exploits, including Google Analytics by Yoast, SEO by Yoast, Shareaholic, RevSlider and Fancybox-for-Wordpress.

It is always best to update plugins immediately when a new one is available or have it done automatically. While this was publicized, often developers will quietly update to close exploits without detailing why, leaving many webmasters with vulnerable plugins which haven’t been updated.

Bio
Latest Posts

Jennifer Slegg

Founder & Editor at The SEM Post

Jennifer Slegg is a longtime speaker and expert in search engine marketing, working in the industry for almost 20 years. When she isn't sitting at her desk writing and working, she can be found grabbing a latte at her local Starbucks or planning her next trip to Disneyland. She regularly speaks at Pubcon, SMX, State of Search, Brighton SEO and more, and has been presenting at conferences for over a decade.

Latest posts by Jennifer Slegg (see all)

2022 Update for Google Quality Rater Guidelines – Big YMYL Updates - August 1, 2022
Google Quality Rater Guidelines: The Low Quality 2021 Update - October 19, 2021
Rethinking Affiliate Sites With Google’s Product Review Update - April 23, 2021
New Google Quality Rater Guidelines, Update Adds Emphasis on Needs Met - October 16, 2020
Google Updates Experiment Statistics for Quality Raters - October 6, 2020

Google Does Not Give Extra Mobile Friendly Boost for Chrome over Safari »

« Google Testing Mobile Friendly Tag in AdWords Ads

Jennifer Slegg :Jennifer Slegg is a longtime speaker and expert in search engine marketing, working in the industry for almost 20 years. When she isn't sitting at her desk writing and working, she can be found grabbing a latte at her local Starbucks or planning her next trip to Disneyland. She regularly speaks at Pubcon, SMX, State of Search, Brighton SEO and more, and has been presenting at conferences for over a decade.

Google Testing “Relevant History” Section in Mobile Search Results
Google is testing a new feature in the mobile search results - a drop down…
Google Converts PDFs, DOCs, XLS etc into HTML for Indexing
A discussion came up on twitter about different content types and how Google determines what…
Why Google Shows Featured Snippets With Images from Another Site
For a few years now, Google has sometimes shown featured snippets where the text is…